Security Affairs
Pegasus Used Against MEP Investigating Pegasus, Citizen Lab Finds|JADEPUFFER: First End-to-End AI-Driven Ransomware Operation|The Anatomy of a Shadow AI Supply-Chain Breach: Lessons from the 2026 Vercel Incident|Law enforcememt operation disrupted Malicious Residential Proxy Networks NetNut|Government and Healthcare Are the Weakest Links in Global Email Security|Europe Confirms Record €4.1B Penalty Against Google for Android Practices|U.S. CISA adds a Microsoft SharePoint Server flaw to its Known Exploited Vulnerabilities catalog|430,000 FortiGate Devices Exposed in FortiBleed Ransomware Link|Adobe fixed multiple maximum-severity flaws in ColdFusion and Campaign Classic|Alleged Scattered Spider Hacker Extradited to U.S. to Face Cybercrime Charges|Oracle E-Business Suite Flaw Under Active Attack, 950 Systems Exposed|Azure CLI Targeted in LSHIY Password Spray Campaign Across 64 Orgs|Pegasus Used Against MEP Investigating Pegasus, Citizen Lab Finds|JADEPUFFER: First End-to-End AI-Driven Ransomware Operation|The Anatomy of a Shadow AI Supply-Chain Breach: Lessons from the 2026 Vercel Incident|Law enforcememt operation disrupted Malicious Residential Proxy Networks NetNut|Government and Healthcare Are the Weakest Links in Global Email Security|Europe Confirms Record €4.1B Penalty Against Google for Android Practices|U.S. CISA adds a Microsoft SharePoint Server flaw to its Known Exploited Vulnerabilities catalog|430,000 FortiGate Devices Exposed in FortiBleed Ransomware Link|Adobe fixed multiple maximum-severity flaws in ColdFusion and Campaign Classic|Alleged Scattered Spider Hacker Extradited to U.S. to Face Cybercrime Charges|Oracle E-Business Suite Flaw Under Active Attack, 950 Systems Exposed|Azure CLI Targeted in LSHIY Password Spray Campaign Across 64 Orgs|
Advertisement

Ad Placeholder

Full Width × 90

Breaking News

How to move YouTube comments from any video to another

An Egyptian Researcher discovered a flaw that allowed him to duplicate/copy any YouTube comments from any video to another video without user-interaction. The Egyptian colleague Ahmed Aboul-Ela has discovered a vulnerability in YouTube that could be exploited by attackers to move comments from any video to another without any user-interaction. Now imagine that you move the YouTube comment […]

How to move YouTube comments from any video to another

An Egyptian Researcher discovered a flaw that allowed him to duplicate/copy any YouTube comments from any video to another video without user-interaction.

The Egyptian colleague Ahmed Aboul-Ela has discovered a vulnerability in YouTube that could be exploited by attackers to move comments from any video to another without any user-interaction.

Now imagine that you move the YouTube comment posted by any celebrity or public figure on some YouTube video to a video posted by you cool. Attackers can spoof, duplicate or copy the comments posted on discussion boards from any YouTube channel and make them appear as the messages left under his video.

In a similar way, an attacker could populate its discussion board by exploiting the flaw, an activity very useful when someone intends to increase its visibility or want to run PSYOPs operation by influencing wide audience manipulating comments from celebrities or public figures.

Ahmed Aboul-Ela was testing the reviewing comments feature, when he discovered that a YouTube comment posted to any video on the platform can be manipulated by the author of that YouTube channel by operating on the settings to “Hold all comments for review” before it gets posted.

 

YouTube comment manipulation

 

Just a few weeks ago we reported about a simple logical vulnerability in YouTube that could have been exploited by anyone to delete any video from YouTube in just one shot.

By enabling this option, all the comments posted by different users on your video will be listed in the page of YouTube comments of your account, waiting for the user’s approval of removal.

At this point, by approving the any listed YouTube comment and intercepting the related HTTP request, an attacker can easily discover the comment_id and a video_id parameters in the POST request. By manipulating the video_id parameter, the expert got an error. Differently, by changing only the comment_id to any other comment_id value on any YouTube video, the HTTP request is successful and the YouTube comment will appear on the YouTube video chosen by Ahmed Aboul-Ela.

YouTube comment manipulation 2
YouTube comment manipulation 3

The trick is sneaky and goes undetected to the user that originally posted the YouTube comment because it does not remove the original comment from the original video and even the author of the comment does not get notified that his comment has been copied under another video.The researcher Ahmed Aboul-Ela reported the bug to YouTube that rewarded it with $3,133.7 under its bug bounty program, below the video PoC provided by the expert.

Pierluigi Paganini

(Security Affairs –  YouTube comment, Hacking)