Broken session control leads to access private videos using the shared link even after revoking the access for specific time!! — #GoogleVRP
A lot of people might know how to share the private video and can access that video but here the interesting thing is now this vulnerability can be used to see private video after revoking the access.
Let’s assume a scenario suppose you have uploaded a private video and share access to a specific people in a organization by entering their email or mistakenly shared the video to a person.
After sometime you are revoking the access to them by removing the mail. In between this suppose the viewer who gets access to the video captures the response of that video and saves it.
Now if they try to view the video they will see error. Now again using proxy if they inject the response they can still view the video and they can screen record the video also. This video can be viewed by them until the response gets expired. As far as I know it’s taking approximately 8 hours for the session to get expired.
Here when we give the access the private video it effects immediately but when we revoke the access to the video it is different it won’t effect immediately😂
Since as google said it’s a small window of attack , I have uploaded my poc on YouTube itself. Capture the response of my video so that even if I make it private also you will still have access to it for some time..!😛😂.
Final POC Video:
But, when I decided to send this issue to Google VRP the response didn’t make me happy and Yes, the report was closed as ‘Intended Behavior’ :(
So see y’all in a new write-up soon guys !!
Thanks for reading !!
Make sure to follow me on Twitter ;)