Remote code execution in YouTube Android Player API SDK

The YouTube Embedded 1.2 SDK binds to a service within the YouTube Main App. After binding, a remote context is created with the flags Context.CONTEXT_INCLUDE_CODE | Context.CONTEXT_IGNORE_SECURITY. This allows the client app to remotely load code from YouTube Main App by retrieving the Main App’s ClassLoader. A potential vulnerability in the binding logic used by the client SDK where the SDK ends up calling bindService() on a malicious app rather than YT Main App. This creates a vulnerability where the SDK can load the malicious app’s ClassLoader instead, allowing the malicious app to load arbitrary code into the calling app whenever the embedded SDK is invoked. In order to trigger this vulnerability, an attacker must masquerade the Youtube app and install it on a device, have a second app that uses the Embedded player and typically distribute both to the victim outside of the Play Store.

CVSS:3.1/AV:A/AC:H/PR:L/UI:R/S:U/C:L/I:H/A:N

使用外部可控制的输入来选择类或代码(不安全的反射)

Alphabet YouTube Embedded 安全漏洞

Alphabet YouTube Embedded是美国Alphabet公司的一个视频分享应用程序。 Alphabet YouTube Embedded 1.2 SDK版本存在安全漏洞，该漏洞源于SDK可以加载恶意应用程序的ClassLoader。

N/A

N/A