Comments on: Advanced Flash vulnerabilities in Youtube – Part 4 /2017/09/advanced-flash-vulnerabilities-in-youtube-part-4/?utm_source=rss&utm_medium=rss&utm_campaign=advanced-flash-vulnerabilities-in-youtube-part-4 Open mind Security and Crypto! Fri, 30 Jul 2021 20:07:09 +0000 hourly 1 https://wordpress.org/?v=6.0.11 By: BHB /2017/09/advanced-flash-vulnerabilities-in-youtube-part-4/#comment-41 Wed, 20 Sep 2017 08:22:22 +0000 /?p=188#comment-41 In reply to Engue Gillier.

Thanks you sir!
Very interesting how the algorithm works. Wouldnt have expected that .mp4 compability is a point that gets checked.
I have just seen probably a few hundread webpages that show the error message I mentioned.
Might take a look on that for Firefox, since it sounds like a logical step.

]]> By: Engue Gillier /2017/09/advanced-flash-vulnerabilities-in-youtube-part-4/#comment-38 Tue, 19 Sep 2017 07:22:54 +0000 /?p=188#comment-38 In reply to BHB.

Ah so Google thought we people on old windows machines or linux without HTML5 support (only adobe flash) were evil hackers when using nohtml5=1.

Here I’m talking about Youtube embed Apis, to embed a Youtube video in an external website. So it’s not users who manually enter “nohtml5=1” but developers.

Im not sure about this sentence “When the iframe loads, it will first check if the browser is able to play videos using html5, and if not it will use the Flash fallback. ”

When a “youtube.com/embed/” iframe loads, one of the first javascript instructions is :
try {
var vid = document.createElement('video');
if('' != vid.canPlayType('video/mp4')){
//html5 player
} else {
//Flash fallback
}
} catch(e){
//Flash fallback
}
It is not only looking whether the browser supports the <video> tag, but also whether the <video> tag supports the mp4 codec. Of course the Flash fallback could fail as well but in that case the video won’t play. But for old browsers Youtube should switch to the Flash fallback without any issue.

Note:
One last thing, if you really want to use the flash fallback on a modern browser you can install an extension like “YouTube Flash Player” for firefox. What the extension will do is just change the prototype of the vid.canPlayType() method on Youtube webpages so that vid.canPlayType(‘video/mp4’) will return ”.
if(/^https:\/\/www\.youtube\.com\//.test(location.href){
document.createElement("video").constructor.prototype.canPlayType = function(a){ return '';};
}

]]> By: BHB /2017/09/advanced-flash-vulnerabilities-in-youtube-part-4/#comment-37 Tue, 19 Sep 2017 06:19:00 +0000 /?p=188#comment-37 Ah so Google thought we people on old windows machines or linux without HTML5 support (only adobe flash) were evil hackers when using nohtml5=1.
Im not sure about this sentence “When the iframe loads, it will first check if the browser is able to play videos using html5, and if not it will use the Flash fallback. ”

Old browsers that only support html5 sluggish will probably try to use html5 and never flash.
That was exactly the reason why so many off these people used the workarounds like /v/ or nohtml5=1.
Anyway Youtube operated by Google has already spoken the last words:
“Flash-embedded videos are no longer supported, but you can still watch this video on YouTube”

]]> By: Neeraj /2017/09/advanced-flash-vulnerabilities-in-youtube-part-4/#comment-29 Thu, 14 Sep 2017 16:49:09 +0000 /?p=188#comment-29 Congrats. Waiting for your Facebook bug poc 🙂

]]>