Cenzic 232 Patent
Paid Advertising
sla.ckers.org is
ha.ckers sla.cking
Sla.ckers.org
Where you should disclose your vulnerabilities. Go read RFPolicy if you want to do responsible disclosure, and go here for when all else fails. 
Go to Topic: PreviousNext
Go to: Forum ListMessage ListNew TopicSearchLog In
YouTube Security Hole: Huge hole,very basic for YouTube to fix
Posted by: coolboy1
Date: October 24, 2008 09:34PM

YouTube doesn't log u out of your account once you close your web browser or even shut down your pc and turn it on again. you are always logged into YouTube unless you clear your cookies.

The YouTube cookie never expires. Try it yourself. Log into your YouTube account, close Internet explorer(IE doesn't clear cookies.firefox gives you an option), open IE again and go to youtube and you will still be logged in. Now shut down your computer, turn it on again, open IE, go to youtube, and amazingly you will still be logged in.

Hotmail,gmail,myspace and all other sites i know have their cookie expire when your web browser is closed so you have to log in again so I don't know why YouTube doesn't think it's an issue when google's gmail does.

If someone is using a public computer and logs into YouTube, once they have finished they close IE thinking it'll log them out, then another person opens IE and has full access to the previous account that is still logged in.

Options: ReplyQuote
Re: YouTube Security Hole: Huge hole,very basic for YouTube to fix
Date: October 25, 2008 01:34AM

um ok...

>>If someone is using a public computer and logs into YouTube, once they have finished they close IE thinking it'll log them out

If someone is stupid enough to think that closing your browser logs them out then they deserve to have their login compromised. Most smart people click on 'Logout' when wanting to end their session. This is not really a youtube issue but more of a common sense issue. Take this for example: Someone gets their credit card statement in the mail and they decide oh I don't need it and throws it in the trash thinking it will just end up in landfill, but fail to realize that by not shredding the document they risk their information being stolen. Now its not the card company who is to blame for giving the statement that ended up in the trash, but the customer who failed to use common sense and just threw it away.

Options: ReplyQuote
Re: YouTube Security Hole: Huge hole,very basic for YouTube to fix
Posted by: Reiners
Date: October 25, 2008 05:37AM

imho thats not a "huge hole" but a feature. btw I use this "feature" at sla.ckers.org too ... I'm always logged in because I'm lazy.

Options: ReplyQuote
Re: YouTube Security Hole: Huge hole,very basic for YouTube to fix
Posted by: kuza55
Date: October 25, 2008 06:32PM

Ignoring the fact that no-one cares about YouTube accounts for a moment; unless you're planning on checking thousands of public terminals in the hope someone is logged in so that you can steal their account, this isn't going to lead to any accounts being compromised.

If you can't exploit it, it might as well not exist.

----------------------------------------------------------
Don't forget our IRC: irc://irc.irchighway.net/#slackers
[kuza55.blogspot.com]

Options: ReplyQuote
Re: YouTube Security Hole: Huge hole,very basic for YouTube to fix
Date: October 26, 2008 01:40PM

>> Ignoring the fact that no-one cares about YouTube accounts for a moment; unless you're planning on checking thousands of public terminals in the hope someone is logged in so that you can steal their account, this isn't going to lead to any accounts being compromised.

But think of it this way, if you steal someone's account, you can get the following according to the YouTube sign up page:

1. Comment, rate, and make video responses to your favorite videos
2. Upload and share your videos with millions of other users
3. Save your favorite videos to watch and share later
4. Enter your videos into contests for fame and prizes

...or you can just sign up =oP

Options: ReplyQuote
Re: YouTube Security Hole: Huge hole,very basic for YouTube to fix
Posted by: Kyo
Date: October 26, 2008 04:15PM

it has potential for a security hole to be more damaging, but it in itself is not a security hole

Options: ReplyQuote
Re: YouTube Security Hole: Huge hole,very basic for YouTube to fix
Posted by: kuza55
Date: October 27, 2008 07:15PM

Kyo Wrote:
-------------------------------------------------------
> it has potential for a security hole to be more
> damaging, but it in itself is not a security hole

Agreed.

----------------------------------------------------------
Don't forget our IRC: irc://irc.irchighway.net/#slackers
[kuza55.blogspot.com]

Options: ReplyQuote
Re: YouTube Security Hole: Huge hole,very basic for YouTube to fix
Posted by: PaPPy
Date: October 27, 2008 07:57PM

i implemented something like this on my site, but i thought it was more a feature... than a REALLY FUCKING ZOMG HUGE SECURITY HAX WITH BBQ SAUCE!!!!!

and its interesting u say gmail doesnt keep ur cookies, cause it keeps mine, im always logged in, well until the cookie dies i guess

http://www.xssed.com/archive/author=PaPPy/

Options: ReplyQuote
Re: YouTube Security Hole: Huge hole,very basic for YouTube to fix
Posted by: TheInsider
Date: December 24, 2008 06:46PM

Gmail, Yahoo, Facebook... all thebug brands assign you with a cookie that last a reasonable amount of time, most of them use two weeks.

mail.com gives you an "IP bound session" that expires on a ~10 minutes of inactivity.

YouTube can choose any design they want to manage their browsing session state, i am pretty sure their cookie also expires after 2 weeks, if it doesn't who cares, the moment it expires you re-login anyway, so you always have that cookie in practice :)

The only thing that is a little bit interesting here is that you can log into YouTube using your gmail account, so an XSS in YouTube _may_ lead to possesion of the gmail cookie, depends on the design (i didn't research that one)

http://rafelivgi.blogspot.com
Aspect9 Founder & Chief Security Architect
------------------------------------------
My job is to assess not assassinate
You can spend your life reading what others write or you can spend your life writing for others to read, choose your destiny!

Options: ReplyQuote


Sorry, only registered users may post in this forum.