This write-up explores a manipulation technique in YouTube’s redirect system that allows an attacker to spoof URLs, misleading users about their actual destination.

Discovery

I found that YouTube uses the q parameter to handle external links. However, by manipulating the URL structure, it was possible to trick the system into displaying a trusted domain while redirecting to a different site.

Exploit

The issue lies in how YouTube parses URLs. By using the \@ symbol, an attacker can craft a misleading link:

https://www.youtube.com/redirect?q=www.verytrustedurl.com\@reversesec.org

Here, YouTube presents www.verytrustedurl.com as the destination, but the actual redirection leads to reversesec.org.

Proof of Concept (PoC)

Conclusion

While seemingly minor, this issue could be used in phishing campaigns to bypass user skepticism, as the YouTube redirect page adds legitimacy to the spoofed link. I reported this behavior to YouTube, but they determined it was not a security vulnerability. Despite this, refining their URL parsing could prevent misuse.