Google has fixed a flaw in Youtube, which was discovered by an Egyptian security researcher. The vulnerability allowed anyone to move or copy comments from one video to another without any user-interaction.
On April 15, Ahmed Aboul-Ela wrote on his blog that he and his friend, Ibrahim Mosaad, discovered the flaw that allowed them to duplicate or copy any comments from one video on YouTube to other.
Aboul-Ela wrote, while they were testing the features of reviewing comments, they found it.
These two researchers mainly focused on the setting which allows the user to hold the comments for review before they get published. They found that if that feature is enabled, then the comments will be listed in a control panel labeled “held for review.”
If anyone comments on a Youtube video, it shows the comment_id and video_id in the post parameters. Now, if anyone changes the video_id to any other video id, he/she will get an error. However, if he/she does not touch the video_id and change only the comment_id to any other comment-id on any Youtube video, the request will get accepted and that comment will be copied and appear on his/her own video.
“The author of the comment does not get notified that his comment is copied onto another video nor the original comment from the original video doesn’t get removed,” Aboul-Ela wrote.
According to him, the flaw could be used to make a good video unpopular. And it could have been used to copy any celebrity or public figure’s comment and paste it on their videos.
Aboul-Ela wrote that Google decided to give $3,133.7 reward which is the maximum payment for disclosing vulnerabilities in normal Google applications.