Nicholas Lemonias, an information security expert with Advanced Information Security Corp and Msc in Information Security from the University of Derby, England, has identified an unrestricted file upload vulnerability in YouTube. However, Google denies that the researcher’s findings represent a security issue.
On February 26, Lemonias informed Google, through the company’s security program, of a security issue that allowed him to circumvent web-based control handlers used by the YouTube API, which determines which file types can be uploaded to YouTube’s servers.
While the expert and his team believe that this should be regarded as a security issue, Google disagrees. The search engine giant’s representatives have confirmed for Softpedia that they’ve received Lemonias’ report.
“We did receive the report, but based on the information submitted, we do not believe it to be a valid security issue. So we have closed the case without forwarding it to the product team and have not made any product changes as a result of this submission,” they noted in an emailed statement.
Google highlights the fact that they’ve rewarded thousands of people who have submitted security issues.
On the other hand, Lemonias says experts from OWASP and other organizations agree that his findings represent a security issue. He has provided Softpedia with a POC video demonstrating his findings.
He believes that the issue impacts the integrity and scope of information flow of YouTube’s service.
The expert also points to the email in which Google confirms that the files have been uploaded to its servers.
Here are the arguments brought by the researcher in support of his claims:
“It is not a question whether this is a security vulnerability. As per the proof of concept images and reports, you can see that that we have successfully uploaded files to their remote networks.
That means that a door was open for anyone to upload any file of choice. Whether this is a security vulnerability or not, I will leave that to your discretion. Google however questions the impact of this problem.
I would like to point to Google Security team, that academic literature from widely recognised experts, such as (Saltzer et al, 1984), (Stoneburner et, al 2004) but also – ‘The protection of information in computer systems.’
Proceedings of the IEEE 63.9 (1975): 1278 again by (Saltzer et al, 1975) which entails that once the information security flow or scope , and or function of a design is circumvented that constitutes to a security issue.
On the other hand according to OWASP and recognised practise an unrestricted file upload vulnerability is a very serious problem.
However according to widely recognised security practice circumvention of data, (in this case of http parameters) is a security violation. Our findings are not based on personal beliefs, but rather based on tangible proof of concepts, widely recognised practice and academic subject matter literature.
Furthermore from an academic perspective and according to matter literature by (Saltzer et al, 1984) and (Stoneburner et al, 2004) an Access Control List is a list of principals that are allowed to have some sort of authorization to some system objects/functions.
The definition of a principal is therefore that of a participating entity in a computer system, to which authorizations are granted over an object.
Therefore in YouTube’s case, the affected service makes use of a protected subsystem where procedures may be called only at designated domain entry points. Namely that only a specific set of file-types can be uploaded by users.
Thus the security mechanisms in place for the upload functionality, originally prevent uploading of files with dangerous file extensions.
In YouTube’s case an unauthorised principal can bypass the security controls of the application, and to circumvent its scope and security function, with end-result the ability to upload any file of choice. In this case a principal is unauthorised, because only a YouTube administrator should be able to upload any file of choice.
Furthermore the principles of Information Security entail and acknowledge that a secure system should be based on nine principles.
I would like to mention two of those principles, which I see relevant to this security report, and are those of:
1) Complete Mediation: Meaning that access to each and every object should be checked for authority before a certain action.
2) Least Privilege ‘where every function or program should operate using the least required permission to accomplish its scope’.
Furthermore, the attached images confirm our research experiments, submitted as part of Google Coordinated Security Research program, which encourages security researchers to find vulnerabilities.”
Previously, Lemonias has reported security holes to companies such as Microsoft, Nokia, Adobe, Cisco, AT&T and Visa.