I am posting this because I know that YouTube / Google developers read here. Since you guys have shown me that you do not find it necessary to read your e-mails, I am feeling impelled to contact you this way.

Just like other major social networking sites (or even more) YouTube is responsible for the privacy and security of hundreds of millions of users. However presently this security is not provided in the least due to a continuously increasing amount of severe security vulnerabilities on YouTube coming with each site update.

Having security holes is one thing but not responding to vulnerability reports is totally unacceptable and certainly not conform to your commitment to data security.

Taking that into account I'm going to have one last try and give you two weeks from now to contact me. If you don't, I am obliged to disclose all vulnerabilties in public.

Regards,
- http://christ1an.blogspot.com

_______________________
[[url=http://php-ids.org]php-ids.org[/url]] Web Application Security 2.0

fuck it bruh disclose em anyways. you dont owe them anything

I would love to see this Christian, i saw some in hackyou too. Hehe pretty good.

I agree about the disclosure. It has happened me many times before when I warn someone his site has problems in 80% of times there is no back message from them.

Two weeks is too much.
Make this public and go.. why so much consideration with them?

Because it is worth a consideration to disclose around 50 YouTube vulnerabilities to the public. (point)

It's all in their hands now. If they respond, fine; but if they don't they're going to bear the consequences.

I owe them nothing at all. However I as a security researcher with a sense for responsibility owe the public to protect their data up to a certain degree.

Regards,
- http://christ1an.blogspot.com

_______________________
[[url=http://php-ids.org]php-ids.org[/url]] Web Application Security 2.0

I think two weeks is a good period and I support this way of vulnerability disclosure if mails aren't answered.

I've seen some of christ1ans vulns and I've found some by myself (it's not very hard after the relaunch and yes there are 50+) and I can say it's hard to believe that those issues are ignored - most are LHF, fixable in a minute and speak for blowzy application development.

Also I think this thread is not about sharing cool links with popping alerts and stuff - it's about creating awareness and spreading knowledge as (in my eyes) the whole forum is - even if some guys have obviously seen too much star wars recently and aren't able to get the sith thing out of their system...

Greetings,
.mario

I had some alike situation few days before with local search engine. I contact them two times but there is no reply, after ~three weeks I disclose vulns in public.

I`m not disclose all vulns, but I say that there is more ... and again, there is no reply from them. On some local forum they say that vulns are not critical and that thay know for that, it is very arrogantly from them ...

http://www.security-net.biz/

50? Wow... If they do respond are you going to release them after they fix them at least?

- RSnake
Gotta love it. http://ha.ckers.org

RSnake: How shall I release fixed vulnerabilities?

The amount of XSS only is somewhere around 50 yes. Some reflective XSS, some persistent XSS, some dump filters and so forth.

If YouTube doesn't contact me, I'll start a DOYB aka. Day Of YouTube Bugs where I release one or more vulnerbilities each hour.

Regards,
- http://christ1an.blogspot.com

_______________________
[[url=http://php-ids.org]php-ids.org[/url]] Web Application Security 2.0

That would get people's attention, yah. Are you going to do it HP bug of the week style and do it starting Friday night just to screw up a bunch of developer's weekend?

- RSnake
Gotta love it. http://ha.ckers.org

ah, come on - not friday night! my developer soul bleeds just reading that ;)

Haha great ideas, let's rock!

Well, we'll see then. I don't want to do that, I instantly hope that I'll find a message in my mailbox somewhen during the next days.

Even by being forced to contact them publicly this way I'm doing something I don't like - bringing scammers attention on YouTube who could possibly hack them.

So again, YouTube, I do not intend to harm either you or the reputation of your company. In fact, I want to save it and in my judgement this is the only remaining way to make that happen.

Regards,
- http://christ1an.blogspot.com

_______________________
[[url=http://php-ids.org]php-ids.org[/url]] Web Application Security 2.0



Edited 1 time(s). Last edit at 06/18/2007 07:37AM by christ1an.

I hope they respond for there own sake, or else I have enough time to code a Youtube XSS Worm and turn it loose.
And that isn't a threat but a certainty, because I need a stable platform to release a concept worm I created which is capable of spawning an entire network,
stealing every cookie, login credential, and aiming at users trying to install keyloggers with some Javascript heap spraying.

Nope. not a joke, time will tell.



Edited 2 time(s). Last edit at 06/19/2007 06:19PM by Ronald.

I've been contacted from Google Security and YouTube.

Regards,
- http://christ1an.blogspot.com

_______________________
[[url=http://php-ids.org]php-ids.org[/url]] Web Application Security 2.0

Ah a pity! :)

I have just sent a report to them.

However while preparing the PoCs I noticed that most vulnerabilities have recently been fixed. So I only listed a few, around about 10. Seems as if they've looked through the source during the last 48 hours.

I'm going to write a blog item about this once it's done.

Regards,
- http://christ1an.blogspot.com

_______________________
[[url=http://php-ids.org]php-ids.org[/url]] Web Application Security 2.0

Well handled, christ1an.

I look forward to seeing the blog post.

[No sooner does man discover intelligence than he tries to involve it in his own stupidity.]
[Jaques Cousteau]



Edited 1 time(s). Last edit at 06/20/2007 10:11PM by Jib.

Very responsibly handled - and glad to see that Google finally responded.

http://www.the-mice.co.uk/switch/ Switch/Twitch
http://code.google.com/p/dotnetids .NETIDS

Yah but kinda sad that it had to come this far.

IMHO full-disclosure would had made them act way much faster then they did now. because in the mean time that Christian was emailing and posting here, Google taking a look at it, thinking about it, doing nothing for a few months. giving other plenty of time to take a peek themselfs. This would never happened with full disclosure from the start, forcing them to shove it up their ass from day one. Lazy bastards, full disclosure is they only way to be responsible for everyone IMO.

Here's the blog item:
http://christ1an.blogspot.com/2007/06/google-says-thank-you.html

Regards,
- http://christ1an.blogspot.com

_______________________
[[url=http://php-ids.org]php-ids.org[/url]] Web Application Security 2.0

So you go a thank you and a t-shirt...No stocks??!!

http://mephistosmind.blogspot.com



Edited 1 time(s). Last edit at 06/23/2007 09:32AM by Mephisto.

They probably where out of toiletpaper stocks Mephisto.

Most of the time when I try to help sites, they never get around to returning emails.

At least I still try. I should just disclose them all.

Hello Christian.

I don't think that this 48 XSS in youtube.com, majority known in private list, suppose a serious danger in this moment (only for stupid users...) To what directions you wrote? Try again with help [at} google {dot] com. They always answer to me in less than 24 hours.

Regards.

I don't understand you guys do this for free. Spend all your free time for nothing, and their programmers clap into their hands while you guys do all the work.

I'dd say Google should pay Christian a full salary of what programmers gets @ google for his support and help, but that's my opinion. In fact, the flaws he found are even intellectual property because every injection is different.

Even if Google would spend 0,000000000000000000000000000000000000000000000001% of their budget to spend on security researchers (who obviously do a better job) I think we'll all be living in a more secure place.

I mean common, isn't this at least a bit fair? it should be set as an example, a symbol.

@Ronald: Problem is that this can be conceived as extortion - asking to be paid or threatening to release a vulnerability...

http://www.the-mice.co.uk/switch/ Switch/Twitch
http://code.google.com/p/dotnetids .NETIDS

So what?

Well, I don't know where you live, but where I come from that's illegal

http://www.the-mice.co.uk/switch/ Switch/Twitch
http://code.google.com/p/dotnetids .NETIDS

Wow, bold move!!

http://hackathology.blogspot.com