Sunday 8 November 2015

Security Researcher Found an XSS Bug on YouTube Gaming in Two Minutes Flat

YouTube Gaming  which Google launched in August, works as a separate section of the famous YouTube video sharing portal, where online gamers can stream their games, watch other people play live, or view game-related clips.
YouTube Gaming XSS bug found by security researcher in two minutes

Security researcher Ashar Javed has uncovered a reflected XSS (Cross-Site Scripting) flaw in YouTube Gaming. Javed made blog post to outline how he did it in two minutes flat.

Javed says that Google's devs have been doing their work with YouTube Gaming and escaped or converted dangerous characters like "' and <, so attackers won't be able to use them. However, Javed found out that they forgot to protect the < / combo. The problem is that the < / combo is not protected, and this allowed the researcher to use a simple exploit in the form of:
< /script>< script >MALICIOUS CODE< /script>
which he appended at the end of a simple YouTube Gaming query, like this:
https://gaming.youtube.com/results?search_query=< /script>< script >MALICIOUS CODE< /script>
Using this entry point, hackers could have triggered reflected XSS attacks, which would have allowed them to steal cookies or alter the page's content if they had tricked users into clicking malformed links that contained the malicious code.

Google acknowledged the flaw pointed out Javed and awarded him a bug bounty of $3,133.7 / €2,847.

Share this post
  • Share to Facebook
  • Share to Twitter
  • Share to Google+
  • Share to Stumble Upon
  • Share to Evernote
  • Share to Blogger
  • Share to Email
  • Share to Yahoo Messenger
  • More...


:) :-) :)) =)) :( :-( :(( :d :-d @-) :p :o :>) (o) [-( :-? (p) :-s (m) 8-) :-t :-b b-( :-# =p~ :-$ (b) (f) x-) (k) (h) (c) cheer

Posts RSSComments RSSBack to top
© 2013 ComboUpdates - Powered by Blogger
Released under Creative Commons 3.0 CC BY-NC 3.0