Tricking Users with YouTube's Redirect System
Introduction
This write-up will take you through how I accidentally stumbled upon a trick to manipulate YouTube's redirect system. It was a peaceful day of watching videos when I clicked on a link, and boom—YouTube’s redirect page showed up. Little did I know, this would lead to a discovery.
Discovery
Like many of my findings, this vulnerability wasn’t the result of deep research. It all started with my curiosity while clicking a link. To my surprise, I was redirected to YouTube's redirect page. This was something new for me, as I hadn’t encountered it before. Even though I'm not skilled in web research, I decided to investigate.
After some investigation, I realized that YouTube’s redirect page uses a "q" parameter to determine where you are being sent. Everything seemed fine, until I noticed that the URL could be manipulated in a way that would make YouTube think it’s redirecting to a site when it’s actually sending you to a different site.
Exploit
Here’s where the fun begins by crafting a URL like this:
https://www.youtube.com/redirect?q=www.verytrustedurl.com\@reversesec.org
The "\@" syntax exploits YouTube’s URL parser by tricking it into treating the part before the "\@" as the visible URL, while the actual redirect happens to the part after the "\@". The URL parser doesn't properly account for this manipulation, allowing attackers to spoof the destination.
Proof of Concept (PoC)
Impact
While this may seem like a harmless trick, there are significant implications if exploited maliciously. Imagine an attacker embedding this link in a phishing email. The user clicks it, and YouTube’s redirect page makes it look like they’re being sent to a trusted site—only to end up on a malicious one instead.
Conclusion
The manipulation of the "q" parameter exploits how YouTube's parser processes URLs, allowing attackers to spoof the actual destination. After reporting the issue to YouTube, they reviewed it and confirmed that it does not qualify as a security vulnerability. I believe there is still room for improvement in their URL parsing to prevent potential misuse.
Thanks for reading this write-up! I hope it was informative.