Security Vulnerability in Youtube?!

by Shijaz Abdulla on 18.04.2008 at 23:30

Hello world. The time is 12:31 AM in Abu Dhabi, United Arab Emirates, and I have logged in to YouTube to upload a short video. And guess what? I am automatically logged in as another Youtube user that I dont know anything about!!

I kept navigating on various pages in YouTube, and I found that I kept getting logged on as various other users! New vulnerability in Youtube/Google? I guess this will be published in a dozen other blogs by tomorrow and then maybe we can wait and see what Youtube/Google says.
Here are some screenshots. I’m cropping some of the images for ethical reasons 🙂

I clicked on My Favorites, and I get Zoobi4658‘s favorites!

Hmm, I clicked on Home, and I arrive at Just2koool‘s home.

I click on My Videos, here comes da54sk8er

Clicked a random link, and lo, here is koxlcxlk


No, I am not a hacker – neither white, nor grey, nor black hat. It just happened. I logged in with my username and password and the next thing I know I get redirected with a new identity. I keep clicking on other links, I get further new identities. I tried to logout and back in – the same story ensues.

This isn’t the first time with Google. The exact same problem was reported by GMail users in Kuwait a few months ago. Users were able to see other users’ inboxes and email. This was caused by a caching issue at a Kuwait ISP and in all probability, what I see with Youtube *might be* the same issue. Well, in my opinion, Google should write code that doesn’t allow the ISP web proxy cache to save somebody’s session and give it to someone else!

Updates:

19 Apr, 10:30 PM This problem seems to affect only users inside the United Arab Emirates. Most likely that the problem is caused by Etisalat, our ISP.
19 Apr, 9:30 PM My blog gets blocked in the UAE
20 Apr, 8:00 AM And we’re back online
23 Apr, 5:00 PM ITP reports the issue
27 Apr, 6.45 PM YouTube security issue in UAE fixed

USEFUL INFORMATION
Getting domain registration on cheap web hosting is no big deal. Getting it on a cheap but quality web hosting is something. At present we have 2 such names, dotster that is comparatively older, and aplus hosting.

Shijaz Abdulla is a Datacenter Solutions Professional at Microsoft, based in Doha, Qatar and helps customers better run their IT infrastructure using Microsoft technologies. He is a blogger and a technology enthusiast.

Trackback Permanent Link

Leave a Reply

Your email address will not be published. Required fields are marked *

Connect with Facebook