Security Vulnerability in Youtube?!

by Shijaz Abdulla on 18.04.2008 at 23:30

Hello world. The time is 12:31 AM in Abu Dhabi, United Arab Emirates, and I have logged in to YouTube to upload a short video. And guess what? I am automatically logged in as another Youtube user that I dont know anything about!!

I kept navigating on various pages in YouTube, and I found that I kept getting logged on as various other users! New vulnerability in Youtube/Google? I guess this will be published in a dozen other blogs by tomorrow and then maybe we can wait and see what Youtube/Google says.
Here are some screenshots. I’m cropping some of the images for ethical reasons 🙂

I clicked on My Favorites, and I get Zoobi4658‘s favorites!

Hmm, I clicked on Home, and I arrive at Just2koool‘s home.

I click on My Videos, here comes da54sk8er

Clicked a random link, and lo, here is koxlcxlk

No, I am not a hacker – neither white, nor grey, nor black hat. It just happened. I logged in with my username and password and the next thing I know I get redirected with a new identity. I keep clicking on other links, I get further new identities. I tried to logout and back in – the same story ensues.

This isn’t the first time with Google. The exact same problem was reported by GMail users in Kuwait a few months ago. Users were able to see other users’ inboxes and email. This was caused by a caching issue at a Kuwait ISP and in all probability, what I see with Youtube *might be* the same issue. Well, in my opinion, Google should write code that doesn’t allow the ISP web proxy cache to save somebody’s session and give it to someone else!


19 Apr, 10:30 PM This problem seems to affect only users inside the United Arab Emirates. Most likely that the problem is caused by Etisalat, our ISP.
19 Apr, 9:30 PM My blog gets blocked in the UAE
20 Apr, 8:00 AM And we’re back online
23 Apr, 5:00 PM ITP reports the issue
27 Apr, 6.45 PM YouTube security issue in UAE fixed

Getting domain registration on cheap web hosting is no big deal. Getting it on a cheap but quality web hosting is something. At present we have 2 such names, dotster that is comparatively older, and aplus hosting.

Trackback Permanent Link

Leave a Reply