Google's YouTube Unrestricted File Upload Report
===========================================
Published Report: 27/02/2014
Credits: Advanced Information Security Corporation, USA
Type: Web Application / Unrestricted File Upload
(Upload of other file-formats not supported by default function.)
Author: Nicholas Lemonias. (Information Security Expert)
Vendor Overview
===========================
Google INC is an American multinational corporation specializing in
Internet-related services and products.
These include search, cloud computing, software, and online advertising
technologies.
Google was founded by Larry Page and Sergey Brin while they were Ph.D.
students at Stanford University.
They incorporated Google as a privately held company on September 4, 1998.
An initial public offering followed on August 19, 2004.
Its mission statement from the outset was "to organize the world's
information and make it universally accessible and useful", and its
unofficial slogan was "Don't be evil".
Service Overview
===========================
YouTube is a video-sharing website, created by three former PayPal
employees in February 2005 and owned by Google since late 2006, on which
users can upload, view and share videos.
The company is based in San Bruno, California, and uses Adobe Flash Video
and HTML5 technology to display a wide variety of user-generated video
content, including video clips, TV clips,
and music videos, and amateur content such as video blogging, short
original videos, and educational videos. Most of the content on YouTube has
been uploaded by individuals, but media corporations
including CBS, the BBC, Vevo, Hulu, and other organizations offer some of
their material via YouTube, as part of the YouTube partnership program.
Unregistered users can watch videos,
and registered users can upload an unlimited number of videos.. YouTube,
LLC was acquired by Google for US$1.65 billion in November 2006 and now
operates as a Google subsidiary.
Description
============================
A security report was made to Google Inc. on the 26th of February, in
reference to Google's coordinated security reward program that encourages
responsible disclosure.
The security issue presented, allowed circumvention of web-based control
handlers used by the YouTube API, which determined the file-types permitted
to be written on YouTube's store-servers.
The validation occurred at the application-layer, through a web-based form;
Therefore a user could tamper with the Http data, in order to bypass any
web-based file-type validation checks,
and consequently to upload, any file of choice to the remote storage
network. However it is pertinent to note that remote code execution has not
been confirmed in this report.
Coordinated Vulnerability Disclosure Timeline
====================================
[+] 26th of February 2014 - Contacted Vendor regarding the realisation.
[+] 27th of February 2014 - Confirmation of Unrestricted File Uploads
issue; Problem Mitigation.
* This realisation was reported to the relevant security teams which acted
immediately to remediate the issues.
** The Vendor did not award a bug bounty in this case.
** This vulnerability report is posted for the wider benefit of the
security community, on AS IS conditions and without any warranties,
including the
warranty of merchantability and capability fit for a particular purpose.
Thus In no event shall the author/distributor be held liable for any
damages
whatsoever arising out of or in connection with the use or spread
of this information.
This information is posted under the FOI, on an AS IS condition,
and as per best security practises.
* Copyrights Advanced Information Security Corp (c), 2014 - *
===========================================
Published Report: 27/02/2014
Credits: Advanced Information Security Corporation, USA
Type: Web Application / Unrestricted File Upload
(Upload of other file-formats not supported by default function.)
Author: Nicholas Lemonias. (Information Security Expert)
Vendor Overview
===========================
Google INC is an American multinational corporation specializing in
Internet-related services and products.
These include search, cloud computing, software, and online advertising
technologies.
Google was founded by Larry Page and Sergey Brin while they were Ph.D.
students at Stanford University.
They incorporated Google as a privately held company on September 4, 1998.
An initial public offering followed on August 19, 2004.
Its mission statement from the outset was "to organize the world's
information and make it universally accessible and useful", and its
unofficial slogan was "Don't be evil".
Service Overview
===========================
YouTube is a video-sharing website, created by three former PayPal
employees in February 2005 and owned by Google since late 2006, on which
users can upload, view and share videos.
The company is based in San Bruno, California, and uses Adobe Flash Video
and HTML5 technology to display a wide variety of user-generated video
content, including video clips, TV clips,
and music videos, and amateur content such as video blogging, short
original videos, and educational videos. Most of the content on YouTube has
been uploaded by individuals, but media corporations
including CBS, the BBC, Vevo, Hulu, and other organizations offer some of
their material via YouTube, as part of the YouTube partnership program.
Unregistered users can watch videos,
and registered users can upload an unlimited number of videos.. YouTube,
LLC was acquired by Google for US$1.65 billion in November 2006 and now
operates as a Google subsidiary.
Description
============================
A security report was made to Google Inc. on the 26th of February, in
reference to Google's coordinated security reward program that encourages
responsible disclosure.
The security issue presented, allowed circumvention of web-based control
handlers used by the YouTube API, which determined the file-types permitted
to be written on YouTube's store-servers.
The validation occurred at the application-layer, through a web-based form;
Therefore a user could tamper with the Http data, in order to bypass any
web-based file-type validation checks,
and consequently to upload, any file of choice to the remote storage
network. However it is pertinent to note that remote code execution has not
been confirmed in this report.
Coordinated Vulnerability Disclosure Timeline
====================================
[+] 26th of February 2014 - Contacted Vendor regarding the realisation.
[+] 27th of February 2014 - Confirmation of Unrestricted File Uploads
issue; Problem Mitigation.
* This realisation was reported to the relevant security teams which acted
immediately to remediate the issues.
** The Vendor did not award a bug bounty in this case.
** This vulnerability report is posted for the wider benefit of the
security community, on AS IS conditions and without any warranties,
including the
warranty of merchantability and capability fit for a particular purpose.
Thus In no event shall the author/distributor be held liable for any
damages
whatsoever arising out of or in connection with the use or spread
of this information.
This information is posted under the FOI, on an AS IS condition,
and as per best security practises.
* Copyrights Advanced Information Security Corp (c), 2014 - *