Youtube officially has 15 minutes upload time limit for video files. And if you verify your credentials via mobile and use the latest browsers available, YouTube increases the file upload limit to 20GB.  Also YouTube only hosts FLV file types. A Information Security Expert found a flaw in the YouTube API which can be exploited to upload unlimited content on YouTube and in other file formats which were not supported by YouTube.   Nicholas Lemonias found the vulnerability and contacted YouTube on 26th February 2014 and Google confirmed the flaw of Unrestricted File Uploads on 27th February 2014.  It then worked towards the mitigation of the flaw which has been successfully done.
Security Research finds flaws in YouTube but not paid the bug bounty by Google
As per Nicholas Lemonias, the security bug allowed circumvention of web-based control handlers used by the YouTube API, which determined the file-types permitted to be written on YouTube’s store-servers. The validation occurred at the application-layer, through a web-based form; Therefore a user could tamper with the Http data, in order to bypass any web-based file-type validation checks, and consequently to upload, any file of choice/any size to the remote storage network (YouTube servers). 

Nicholas said that though the flaw existed, he couldnt confirm remote code execution at the time of reporting.  The sad thing is Google confirmed this flaw and yet Nicholas was not awarded the Bug Bounty.  The flaw is reported by CXSecurity.

3 COMMENTS

  1. It is surely a vulnerability, with a high impact since there is the ability to write remote files to Google's trusted networks.

    • Really? Before believing the comment and article, it'd be good to check around with multiple experts. Don't believe everything you read.

LEAVE A REPLY

Please enter your comment!
Please enter your name here