Using YouTube to steal your files

rozab · 2024-09-22T10:04:43.000000Z

Would like to highlight that this webpage, interactive 'screenshots' and all, is 31kb

altbdoor · 2024-09-22T12:11:49.000000Z

Ah I see, it makes sense now that they aren't screenshots, and are instead interactive HTML/CSS/JS(?) bits.

Was suspicious of how high quality the screenshots were in mobile, but didn't bother to click on them. Neat!

rebane2001 · 2024-09-22T12:14:11.000000Z

No JS on the page, only HTML/CSS :)

pcthrowaway · 2024-09-21T21:00:12.000000Z

Weird to see so little traction on this novel attack.

Honestly, considering this allows anyone to access anyone else's private drive files, I would have expected the payout to be much higher

echoangle · 2024-09-21T22:21:37.000000Z

You have to trick someone into opening your presentation and clicking a specific button, that’s not something a random person knowing my email could easily do. It’s a problem but I wouldn’t exactly say it allows anyone to access anyone else’s private drive files.

a012 · 2024-09-22T11:11:20.000000Z

My company IT sec person sent a presentation and asked everybody to follow a link inside the slide to go to the training website. So never underestimate a attack vector, also security is just a joke.

az226 · 2024-09-22T04:46:18.000000Z

One click is all it takes. That’s the lowest on the totem pole of social engineering.

dredmorbius · 2024-09-22T03:16:02.000000Z

It is the sort of direct targeted attack one might expect a motivated adversary to undertake.

And perhaps those who are cultivating botnets or other widespread attacks.

fragmede · 2024-09-22T10:57:18.000000Z

A random person knowing your email isn't totally random though. a normal person's email address is enough to track down some known associates. Spoof the email as coming from a business partner as the new deck for a side hustle, and the target has been phished. Multiply across every email leaked in recent mega leaks and it's a good thing it was patched!

0dayz · 2024-09-22T06:21:29.000000Z

One major reason I either only watch Youtube on no account or dedicated Youtube Google account.

sushid · 2024-09-22T21:13:51.000000Z

This specific security vulnerability was the main reason you watched Youtube on a dedicated account?

rebane2001 · 2024-09-22T06:45:11.000000Z

I'm not sure how that'd save you here unless you go out of your way to block the youtube domain entirely.

spatterl1ght · 2024-09-22T19:34:58.000000Z

this is awesome! loved the read

nullc · 2024-09-22T09:10:18.000000Z

How can you tell if your root folder has been shared this way? Doesn't look like the root folder's sharing settings are accessible via the normal UI.

rebane2001 · 2024-09-22T11:43:31.000000Z

You cannot share your Root folder, I just threw it in there as a fun bit of unrelated trivia about Drive :). If you attempt to share it (you can try!) you'll just get an error.