Resources

People often ask me "How did you learn how to hack?" The answer: by reading. This page is a collection of the blog posts and other articles that I have accumulated over the years of my journey. Enjoy!

YouTube is used from placing videos and watching them later. YouTube has 4 built in playlists, where the IDs can be derived from the account ID.

YouTube videos can be embedded into iFrames. However, it is a common use case to want to start/pause the video in JavaScript from the home site. This is not possible (because of the SOP) so the best way to do this was to add a postMessage API for the parent frame to talk to the child YouTube frame.

Using this API, the YouTube video can be started, paused, moved and so on. An important thing to note: if YOU are logged into YouTube, so is the embedded playlist.

Anybody see where this is going? This is essentially a cross-account stealing of YouTube data! Because the user is logged in and we can predict the playlist ID of these private playlists, a bunch of information can be stolen over the postMessage API. This data includes stealing you Watch Later videos, Liked Videos with no problem, because we can leak the playlist ID information based upon your account ID.

To make this even worse, there is an uploads playlist. With YouTube, there are three settings for videos: public, private and unlisted. Unlisted is public for anybody that has an ID, but meant to NOT be on the regular YouTube search. By stealing the uploads playlist IDs, it would be possible to watch a load of unlisted videos for the victim account.

This bug was fairly high level; a purposeful bypass for the SOP by YouTube resulted in a major issue. The author finishes with a quote that I can not agree with more: "In my opinion, the more you understand a system, the more ideas about how to break it will just naturally come to mind."