Tuesday, February 17, 2015

Vulnerability in client-side YouTube requests?

UPDATE: I can see that this is not an issue unless someone is logging in with an OAUTH2 ID, which you can keep secret, which in my case I'm not doing. But if you are using it in your JavaScript code, it is a concern. I think I just realized there is a fairly significant vulnerability for anyone using only client-side requests (js, jquery, ajax, etc.) for YouTube content. To get the videos, you have to pass an "API key" or "OAuth key -- basically kinds of passwords -- in your requests. But if you're just using client-side code, then the key is right there if someone knows how to view source. They can then create their own requests, and if they can trick YT to think the request came from your URL (which doesn't seem too hard) then they could delete your videos, or add a hardcore porn video or whatever to your channel or playlist. It seems like I wouldn't be the first to think of this, but if you look at the "sample code" on the Google API page, they have the key right in code, like this:
GET https://www.googleapis.com/youtube/v3/playlistItems?part=snippet&maxResults=50&playlistId=PLPmaD9xD-rAXRXDBDtULmPUqyDeDhKt-k&key={YOUR_API_KEY} *
Am I missing something, or is this extremely dangerous? *updated for a better example