ReverseSec Logo ReverseSec

Small research team where we like to break into security.

Tricking Users with YouTube's Redirect System

idkhidden | Feb 6, 2025

Introduction: The Illusion of Trust

Websites like YouTube use redirect pages to warn you when you're about to visit an external link. You trust these pages to show you the correct destination. This write-up is about a flaw we found in YouTube's redirect system that could be used to trick people. It let an attacker create a link that looked safe but actually sent the user to a malicious website.

Discovery

We were looking at how YouTube handles external links and noticed it uses a `q` parameter in its `/redirect` URL to define the destination. The system is supposed to read this link, show it to the user, and then redirect. The problem was in how it read the link. With a specially crafted URL, you could confuse the system so it would show one domain but actually go to a different one.

Exploit

The exploit works by taking advantage of how different systems parse the `\@` characters. YouTube likely allows the `@` symbol in URLs since it's used for channel pages (e.g., `youtube.com/@channel`). The vulnerability is triggered by adding a backslash `\` before the `@`. When YouTube's redirect service parsed the URL, the `\` caused it to display the entire string as the destination, making it look like a safe link. However, when the user clicked to proceed, the browser correctly interpreted the `@` as a delimiter for user info and a domain, sending them to the malicious site. An attacker could make a tricky link like this:

https://www.youtube.com/redirect?q=www.verytrustedurl.com\@reversesec.org

On the redirect page, YouTube would show the destination as `www.verytrustedurl.com@reversesec.org`, which is misleading. When the user clicks "Go to site," the browser ignores the backslash and treats `www.verytrustedurl.com` as user info, navigating to the actual domain: `reversesec.org`. This discrepancy is the core of the vulnerability.

Proof of Concept (PoC)

Conclusion

Even if it seems small, this kind of bug is a big risk for phishing. People trust the warning pages on sites like YouTube. An attacker could use that trust to send users to fake login pages to steal passwords or spread malware. We reported it to Google, but they first closed it as "Intended Behavior." After we tweeted about it, it got more attention and they fixed it. It just goes to show that even small bugs can be a big deal for security.