Google has patched several vulnerabilities in the Flash video player of YouTube. The vulnerabilities allow attackers to identify the Google account of users, and in the worst case they could even take control over YouTube, Google Drive and Google Docs account.They were discovered by the French security researcher Enguerran Gillier. Gillier previously already discovered vulnerabilities in Facebook, WordPress, Stripe and PayPal.
While Google is phasing out the usage of Flash technology, it’s still used by the search giant. The Flash application programming interface (API) of YouTube contained several security issues, according to Gillier. In case a user was logged in to a Google account and visited a malcious website, it was possible to obtain the Google username of that user through a malicious Flash file.
Another vulnerability made it possible for an attack to take control over Youtube accounts. But only if the condition was met that the user was logged in to his account and visited a malcious website. When those conditions were met, the attacker could obtain private data and watch private videos of the account, post comments with the account or delete all videos of the users.
A third Flash vulnerability discovered by Gillier in the Youtube Flash API, made it possible to take control over Youtube, Google Drive and Google Docs accounts. To make this attack happen, the victim had to be logged in to a Youtube or GOogle drive account, had to have the Flash plugin installed and had to visit a malcious website.
Gillier informed Google about the vulnerabilities after which the search giant fixed them all and awarded Gillier a bounty.