"On 9th January 2014, posted below image on twitter
So is this post related to that? Will get to it soon or probably next month.haha..
In this post I'm going to share to you a bug that manage me to be inside Google Vulnerability Reward Program G+ Community here
The bug is a Self Stored XSS in Youtube.
Let us see how the XSS exist.
In Youtube video manager, there's a function for a user to create Captions for his/her video(s).
Put our XSS payload in the script box and save.
Once we play the video, our XSS will be executed.
Check on below screenshots :)
But..there's a problem! The XSS only executing in Caption's Video Manager. Which in other word the XSS is only stored for that user only.
There's must be a way to exploit or to manipulate this vulnerability. Last time I managed to find a way to Yaying this Nay in Google Adwords. You guys can check on it http://c0rni3sm.blogspot.com/2013/12/google-adwords-stored-xss-from-nay-to.html
I browsed a few times to see is there any share or embed function in this Captions thing. And then.
I noticed that, there's a function where a user can request for a translation from 3rd party or other users. So how this function working?
User request for his/her video for a translation.
User able to choose either from 3rd party or by other Google Users.
Manipulating time.Let assume that, there's a community for English series, Movies, Korean dramas that have some translator for Youtube's caption..and among them, there's an attacker >: )
Attacker will received the invitation.
Attacker put his/her evil code in the middle of translations.
Send to the requester for approval.
Once done, the requester will get an email notification and what she/he need to do is review the translated caption and approve it. So what happen next? The XSS will be executed
03 December 2013 - Reported via VRP form
07 December 2013 - Received a reply from Martin,Google Security Team
07 December 2013 - Google Team asked for more information to reproduce
08-10 December 2013 - Fixed around these dates.
11 December 2013 - Received a reward email from Google
10 January 2014 - Kevin,Google Security Team confirmed the fix. "