Closed
Bug 843330
Opened 11 years ago
Closed 11 years ago
Video app is vulnerable to API URL parameter injection attack
Categories
(Firefox OS Graveyard :: Gaia::Video, defect)
Tracking
(Not tracked)
RESOLVED
INVALID
People
(Reporter: st3fan, Unassigned)
References
Details
In gaia/apps/video/youtube.js this is done for incoming YouTube URLs: var videoId = url.slice(15, url.indexOf('?')); And then blindly appends the videoId to the API URL using string concatenation. This is very easy to manipulate to inject extra parameters to the API: url = "vnd.youtube:///VIDEOID&extraparam1=foo&redirecttoevilsite=yes?" videoId = url.slice(15, url.indexOf('?')); query = 'http://www.youtube.com/get_video_info?&video_id=' + videoId; query is now: http://www.youtube.com/get_video_info?&video_id=VIDEOID&extraparam1=foo&redirecttoevilsite=yes This can be improved with a simple regex or better splitting of the incoming URL.
Updated•11 years ago
|
Blocks: youtube.com
Comment 1•11 years ago
|
||
YouTube is no long played inside of video app.
Status: NEW → RESOLVED
Closed: 11 years ago
Resolution: --- → INVALID
You need to log in
before you can comment on or make changes to this bug.
Description
•