Using YouTube to steal your files

Goofy_Coyote · 2024-09-23T22:03:27 1727129007

Absolutely loved everything about this.

The attack, the explanation, the webpage, the writing.

It’s an easy 10.

Huge thanks for writing your whole thought process, including things that you tried and didn’t work.

I’m going to use this post as an example for how a great writeup should be done.

rozab · 2024-09-22T10:04:43 1726999483

Would like to highlight that this webpage, interactive 'screenshots' and all, is 31kb

altbdoor · 2024-09-22T12:11:49 1727007109

Ah I see, it makes sense now that they aren't screenshots, and are instead interactive HTML/CSS/JS(?) bits.

Was suspicious of how high quality the screenshots were in mobile, but didn't bother to click on them. Neat!

rebane2001 · 2024-09-22T12:14:11 1727007251

No JS on the page, only HTML/CSS :)

efskap · 2024-09-24T00:20:03 1727137203

The checkbox trick for the clickable Review button is so cool! Loved the easter egg links to various videos too

gukoff · 2024-09-24T10:36:03 1727174163

That's very impressive - how do you do this? I also see an IDE screen with the debugger in your other article about telegram - presumably also HTML/CSS

rebane2001 · 2024-09-24T11:38:05 1727177885

I just open Sublime Text (a basic text editor) and start typing away HTML/CSS until I've got something I like the look of. No fancy IDE features or anything, just typing out code into a file :).

I also use my browsers' DevTools for faster CSS iteration, and Paint.NET for concept art and comparing/measuring screenshots. Sometimes I even use Illustrator and/or Inkscape for some SVG stuff (which I manually edit in code afterwards) - in this blogpost I used Inkscape to recreate the cat emoji and the Chrome iframe error pixel art icon.

pcthrowaway · 2024-09-21T21:00:12 1726952412

Weird to see so little traction on this novel attack.

Honestly, considering this allows anyone to access anyone else's private drive files, I would have expected the payout to be much higher

echoangle · 2024-09-21T22:21:37 1726957297

You have to trick someone into opening your presentation and clicking a specific button, that’s not something a random person knowing my email could easily do. It’s a problem but I wouldn’t exactly say it allows anyone to access anyone else’s private drive files.

a012 · 2024-09-22T11:11:20 1727003480

My company IT sec person sent a presentation and asked everybody to follow a link inside the slide to go to the training website. So never underestimate a attack vector, also security is just a joke.

fragmede · 2024-09-22T10:57:18 1727002638

A random person knowing your email isn't totally random though. a normal person's email address is enough to track down some known associates. Spoof the email as coming from a business partner as the new deck for a side hustle, and the target has been phished. Multiply across every email leaked in recent mega leaks and it's a good thing it was patched!

az226 · 2024-09-22T04:46:18 1726980378

One click is all it takes. That’s the lowest on the totem pole of social engineering.

dredmorbius · 2024-09-22T03:16:02 1726974962

It is the sort of direct targeted attack one might expect a motivated adversary to undertake.

And perhaps those who are cultivating botnets or other widespread attacks.

0dayz · 2024-09-22T06:21:29 1726986089

One major reason I either only watch Youtube on no account or dedicated Youtube Google account.

sushid · 2024-09-22T21:13:51 1727039631

This specific security vulnerability was the main reason you watched Youtube on a dedicated account?

rebane2001 · 2024-09-22T06:45:11 1726987511

I'm not sure how that'd save you here unless you go out of your way to block the youtube domain entirely.

webninja · 2024-09-25T04:37:00 1727239020

He doesn’t want to click on the wrong thing while watching a video or browsing around outside and accidentally get click jacked. A little bit of JavaScript in an advertisement could cause this to happen. Without an active session cookie, none of your drive files can be jacked.

ravishar313 · 2024-09-23T08:45:05 1727081105

This was so good. Never thought things so trivial can be made into such attacks.

nullc · 2024-09-22T09:10:18 1726996218

How can you tell if your root folder has been shared this way? Doesn't look like the root folder's sharing settings are accessible via the normal UI.

rebane2001 · 2024-09-22T11:43:31 1727005411

You cannot share your Root folder, I just threw it in there as a fun bit of unrelated trivia about Drive :). If you attempt to share it (you can try!) you'll just get an error.

marvina2 · 2024-10-04T09:30:34 1728034234

Incredible research

Jerrrry · 2024-09-23T12:47:14 1727095634

This was impressive beyond what I can ingest before a full pot of coffee.

Bravo

changexd · 2024-09-24T03:46:18 1727149578

I think comparing to other system vulnerability such as "if you make X library do Y thing(...10 more steps skipped), you can do RCE", this is fairly understandable for me, at least I know how it works, i guess this also means this exploit can be easily accessed?

spatterl1ght · 2024-09-22T19:34:58 1727033698

this is awesome! loved the read