■■■□□ YT exploit semi-deep dive: Two YouTube redirect abuses. First, copy a redirect URL from a video’s description, paste it out, and edit the original website to whatever website you’d like to create an open redirect. Example:
Zcw&q=https%3A%2F%2Fbad.com%2F&v=ivbQ_Ubo3YU
Then simply change the “q=” parameter to any URL, even a malicious one because YouTube doesn’t revalidate the token. Second, by exploiting URL userinfo syntax, you can craft a URL like:
youtube.com/redirect?q=www…\@bad.com
Though it appears to direct to “trustedurl.com”, the browser treats “bad.com” as the actual host. Both methods bypass YouTube’s verification, enabling phishing, malware delivery & data theft by disguising malicious destinations under YouTube’s trusted domain. Here’s an image for referenceYT exploit semi-deep dive: Two YouTube redirect abuses. First, copy a redirect URL from a video’s description, paste it out, and edit the original website to whatever website you’d like to create an open redirect. Example:
youtube.com/redirect?event…
Then simply change the “q=” parameter to any URL, even a malicious one because YouTube doesn’t revalidate the token. Second, by exploiting URL userinfo syntax, you can craft a URL like:
youtube.com/redirect?q=www.h.cn\@bad.com
Though it appears to direct to “trustedurl.com”, the browser treats “bad.com” as the actual host. Both methods bypass YouTube’s verification, enabling phishing, malware delivery & data theft by disguising malicious destinations under YouTube’s trusted domain.
Source: 𝕏 | https://x.com/jipisback/status/1893916366337397124