Lyra, a cybersecurity researcher, recently discovered an unexpected way to exploit YouTube's embed feature in Google Slides.
This vulnerability, which appears to be a strange party trick, has the potential to allow malicious actors to steal files from unsuspecting users.
The vulnerability comes from the way YouTube videos are embedded in Google Slides presentations.
Normally, users can add YouTube videos to their slides by selecting a video, which creates an iframe with the video's embed URL.
The researcher realized that modifying certain parts of the URL could cause the iframe to perform unexpected actions.
The researcher explained, “The moment I changed the videoid to ../, I was redirected to YouTube’s homepage. It worked, though YouTube, like most modern sites, disallows framing to avoid clickjacking.”
Further investigation revealed that specific redirect points in YouTube's URL structure could be used for more than just video embedding.
A particular point of interest was YouTube's redirect system, which frequently employs a parameter known as redir_token.
This token manages the redirection of external links in video descriptions and comments.
The redirect uses a unique token for each session. Without it, users are directed to a warning page rather than the intended destination.
While this makes it difficult to directly manipulate the redirect to an external site, there were other options to consider.
The focus then shifted to YouTube's authentication flow, which allows users to log in and be taken back to their original page.
While experimenting with this mechanism, the researcher discovered a way to frame pages that should have been off-limits.
The redirect worked with subdomains such as music.youtube.com and admin.youtube.com, allowing for more testing.
Unintended File Access
The investigation has expanded to include Google Docs. Using chained redirects and iframe manipulation, the researcher was able to embed Google Docs pages within the Google Slides frame.
This created the possibility of gaining unauthorized access to documents and even tricking users into sharing them.
Although the vulnerability is heavily reliant on user interaction, there is a risk of abuse.
One particularly concerning aspect of this exploit is how it could be used to change file access.
An attacker could gain access to sensitive information if a user is tricked into clicking a shared file link or changing the share settings of a document.
“If clicked, it’ll immediately share Editor permissions for the targeted file/folder with whatever e-mail we specified,” the researcher claimed.
Disguising the share folder button into a poll:
Regardless of the technical possibilities, the exploit is difficult to weaponize without extensive social engineering.
Getting someone to click a link and grant file access still takes effort. However, it demonstrates how, with a little creativity, systems like YouTube and Google Slides can be used far beyond their intended purpose.
Convincing someone to follow all the steps needed would be tough, but it’s not impossible.
It’s a good reminder that even small quirks in widely used tools can lead to bigger security issues.