YouTube Gaming which Google launched in August, works as a separate section of the famous YouTube video sharing portal, where online gamers can stream their games, watch other people play live, or view game-related clips.
Security researcher Ashar Javed has uncovered a reflected XSS (Cross-Site Scripting) flaw in YouTube Gaming. Javed made blog post to outline how he did it in two minutes flat.
Javed says that Google's devs have been doing their work with YouTube Gaming and escaped or converted dangerous characters like ", ' and <, so attackers won't be able to use them. However, Javed found out that they forgot to protect the < / combo. The problem is that the < / combo is not protected, and this allowed the researcher to use a simple exploit in the form of:
CODE< /script>< script >MALICIOUS CODE< /script>
which he appended at the end of a simple YouTube Gaming query, like this:
CODEhttps://gaming.youtube.com/results?search_query=< /script>< script >MALICIOUS CODE< /script>
Using this entry point, hackers could have triggered reflected XSS attacks, which would have allowed them to steal cookies or alter the page's content if they had tricked users into clicking malformed links that contained the malicious code.
Google acknowledged the flaw pointed out Javed and awarded him a bug bounty of $3,133.7 / €2,847.