Closed Bug 843330 Opened 13 years ago Closed 12 years ago

Video app is vulnerable to API URL parameter injection attack

Categories

(Firefox OS Graveyard :: Gaia::Video, defect)

Product:
Firefox OS Graveyard
Component:
Gaia::Video
Platform:
x86
macOS
Type:
defect
Priority:
Not set
Severity:
normal

Tracking

(Not tracked)

Status:
RESOLVED INVALID

People

(Reporter: st3fan, Unassigned)

References

Details

In gaia/apps/video/youtube.js this is done for incoming YouTube URLs: var videoId = url.slice(15, url.indexOf('?')); And then blindly appends the videoId to the API URL using string concatenation. This is very easy to manipulate to inject extra parameters to the API: url = "vnd.youtube:///VIDEOID&extraparam1=foo&redirecttoevilsite=yes?" videoId = url.slice(15, url.indexOf('?')); query = 'http://www.youtube.com/get_video_info?&video_id=' + videoId; query is now: http://www.youtube.com/get_video_info?&video_id=VIDEOID&extraparam1=foo&redirecttoevilsite=yes This can be improved with a simple regex or better splitting of the incoming URL.
Blocks: youtube.com
YouTube is no long played inside of video app.
Status: NEW → RESOLVED
Closed: 12 years ago
Resolution: --- → INVALID
You need to log in before you can comment on or make changes to this bug.