My claim is now verified.... Cheers!
On Fri, Mar 14, 2014 at 8:04 PM, Nicholas Lemonias. < [email protected]> wrote: > http://upload.youtube.com/?authuser=0&upload_id= > AEnB2UqVZlaog3GremriQEGDoUK3cdGGPu9MVIfyObgYajjo6i1-- > uQicn6jhbwsdNrqSF4ApbUbhCcwzdwe4xf_XTbL_t5-aw&origin= > CiNodHRwOi8vd3d3LnlvdXR1YmUuY29tL3VwbG9hZC9ydXBpbxINdmlkZW8tdXBsb2Fkcw > > That information can be queried from the db, where the metadata are saved. > The files are being saved persistently , as per the above example. > > > On Fri, Mar 14, 2014 at 8:04 PM, Nicholas Lemonias. < > [email protected]> wrote: > >> >> http://upload.youtube.com/?authuser=0&upload_id=AEnB2UqVZlaog3GremriQEGDoUK3cdGGPu9MVIfyObgYajjo6i1--uQicn6jhbwsdNrqSF4ApbUbhCcwzdwe4xf_XTbL_t5-aw&origin=CiNodHRwOi8vd3d3LnlvdXR1YmUuY29tL3VwbG9hZC9ydXBpbxINdmlkZW8tdXBsb2Fkcw >> >> That information can be queried from the db, where the metadata are >> saved. The files are being saved persistently , as per the above example. >> >> >> On Fri, Mar 14, 2014 at 8:00 PM, Chris Thompson >> <[email protected]>wrote: >> >>> Hi Nikolas, >>> >>> Please do read (and understand) my entire email before responding - I >>> understand your frustration trying to get your message across but maybe >>> this will help. >>> >>> Please put aside professional pride for the time being - I know how it >>> feels to be passionate about something yet have others simply not >>> understand. >>> >>> Let me try and bring some sanity to the discussion and explain to you >>> why people maybe not agreeing with you. >>> >>> You (rightly so) highlighted what you believe to be an issue in a >>> Youtube whereby it appears (to you) than you can upload an arbitrary file. >>> If you can indeed do this as you suspect then your points are valid and you >>> "may" be able to cause various issues associated with it such as DOS etc - >>> especially if the uploaded files cannot or are not tracked. >>> >>> However... >>> >>> Consider than you are talking to an API and what you are getting back >>> (the JSON response) in your example is simply a response from the API to >>> say the file you uploaded has been received and saved. >>> >>> Now, as you no doubt know, when you upload a regular movie to YouTube, >>> once uploaded it goes away and does some post-processing, converting it to >>> flash for example. What's to say that there isn't some verification aspect >>> to this post-processing that checks if the file is intact a valid movie and >>> if not removes it. >>> >>> If you could for example demonstrate that the file was indeed >>> persistent, by being able to retrieve it for example then again, you would >>> have solid ground to claim an issue however your claims at this point are >>> based on an assumption.... Let me explain. >>> >>> 1. You have demonstrated than you can send "any" file to an API and the >>> API returned an acknowledgment of receiving (and saving) the file. >>> >>> 2. You / we don't know what Google do with files once they have been >>> received from the API - maybe they process them and validate them - we >>> simply don't know. >>> >>> 3. You have hypothesized that you can retrieve the file by manipulating >>> tokens etc and you may be right, but you have not demonstrated it as such. >>> >>> Because of this, you seem to have made a CLAIM that you can upload >>> arbitrary files to Google however SHOWN that you can simply send files to >>> an API and an API responds in a certain way. >>> >>> I am NOT saying you haven't found an issue, what I am saying is that you >>> need to demonstrate that the issue is real and thus can be abused. If the >>> Google service simply verifies all uploaded files once they are uploaded >>> and discards them if invalid, then you haven't really found anything. >>> >>> If you were to prove that you were able to retrieve this uploaded file >>> then how could anyone dispute your bug. >>> >>> Hope this helps.... >>> >>> Cheers! >>> >> >> >
_______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
