Closed Bug 843330 Opened 11 years ago Closed 11 years ago

Video app is vulnerable to API URL parameter injection attack

Categories

(Firefox OS Graveyard :: Gaia::Video, defect)

Product:
Firefox OS Graveyard
Component:
Gaia::Video
Platform:
x86
macOS
Type:
defect
Priority:
Not set
Severity:
normal

Tracking

(Not tracked)

Status:
RESOLVED INVALID

People

(Reporter: st3fan, Unassigned)

References

Details

In gaia/apps/video/youtube.js this is done for incoming YouTube URLs:

  var videoId = url.slice(15, url.indexOf('?'));

And then blindly appends the videoId to the API URL using string concatenation.

This is very easy to manipulate to inject extra parameters to the API:

  url = "vnd.youtube:///VIDEOID&extraparam1=foo&redirecttoevilsite=yes?"
  videoId = url.slice(15, url.indexOf('?'));
  query = 'http://www.youtube.com/get_video_info?&video_id=' + videoId;

query is now:

  http://www.youtube.com/get_video_info?&video_id=VIDEOID&extraparam1=foo&redirecttoevilsite=yes

This can be improved with a simple regex or better splitting of the incoming URL.
Blocks: youtube.com
YouTube is no long played inside of video app.
Status: NEW → RESOLVED
Closed: 11 years ago
Resolution: --- → INVALID
You need to log in before you can comment on or make changes to this bug.