Friday, May 1, 2015

Posted by Paulos Yibelo
2 comments | 11:14 AM

I know the title didn't make any sense for most of you but bier with me. With this bug, here is the list of things I can make you do:

-        -  Delete your entire YouTube Playlist
-        -  Delete your  blog / post / comment
-        -  Email thread/conversation delete, retrieve email/attachment
-        -  Get your activity, friend list from Google +
-        -  Basically do any activity the Google API can do (

This particular API page needs special care because its responsible for multiple actions Google does; which pretty much is everything once the tool (The Graph Explorer) is allowed access.  In this example, I will try to demonstrate how this ClickJacking bug can delete your YouTube Playlist(s).

Here are the perquisites: 

       1.   The victim has authorized Google’s API (say YouTube) before, or still allowed it. (can easily be manipulated to allow it, if they haven’t already)
       2.   The victim to visit our malicious site (where ClickJacking happens)
       3.   The victim Playlist ID (Can be retrieved publicly)

Then that’s basically it. A link Similar to will delete the Playlist Id PLFJifqT2CnZUvX3VRu66wqCNq8WLzlfE1 when the victim clicks on Execute. (luckily for us, the domain is clickjackable).

Exploitation is, we basically frame that domain, make it transparent and put a clickable button to “Execute” with buttons like “Click here to win free iPhone”, then when victim clicks that… Boom! Playlist gone!

Same way, we can do other malicious staff the Google API is able to do (which is basically almost everything), from Maps to Gmail/G+.


UI Redressing/ClickJacking is a much underestimated attack. Although mitigation from it is quite easy, we still see applications falling for it. I hope this bug shows how a single click could compromise the integrity of your Google account, and a single X-Frame-Options could have saved the day.

I would like to thank Google Security and the VRP program. Also Abdellah Yaala for help me see
there can be more harm done with this bug than initally taught. :)

In the News: 


Report Timeline

Apr 12, 6:04 AM - Initial Report
Apr 21, 7:07 AM - Bug triaged
Apr 21, 2:48 PM - Got fixed + Bounty of 1337$


  1. there should be a confirmation box before that

    1. There wasn't. reason(s):

      (1) its an API, it shouldn't get a confirmation to process anything when have the corrent auth_token's.

      (2) it still woudn't have prevented the click-jacking. nor could using a client side CJ prevention