blog of the software engineering student and occasional tweeter
Posted on May 21st, 2013 by Milos Ivanovic Filed under Google, Security, Software

I was just watching, as part of YouTube Comedy Week, a live broadcast of Day 1 — YouTube FanFest with HP, hosted in Singapore. It featured a Google Hangout with one of my favourite YouTube celebrities, Natalie Tran aka communitychannel, who lives in Australia and was unable to make it to Singapore for the live event. Now, you would expect IT security to be decent when it comes to a YouTube event like this one, even more so considering the event was sponsored by a large corporate company like HP. But it really wasn’t, and I feel both ends are to blame.

The Google Hangout session was screencasted by the host at the event in full-screen view, and by that I mean you could see the entire screen real-estate, taskbar, notification area and menu bars included.

google-hangout-communitychannel

You were therefore able to see the Google Hangout session identifier very clearly in the URL, in 1080p HD. Take a look above; it’s https://plus.google.com/hangouts/_/0b03ee704e9d7337b73bf36109b1168aab667b76?hl=en. That means any one of the 5,300+ people watching live on YouTube were able to simply type the URL into their browser, reading it off the YouTube video like I did, to hijack the Google Hangout session and talk to Natalie Tran (♥). And two people did at 2 hours and 37 mintes in. One of them apparently flashed a naked photo, which happened while the camera was pointing at the audience and you could see everyone laughing. Neither the host nor Natalie Tran knew what was going on but they went along with it for a short while, with Natalie awkwardly joking about how they are her Internet boyfriends and such.

While that is funny, it’s not acceptable. First of all, the browser used at the live event, which as seen above was Google Chrome, should have been in full-screen mode obscuring any URLs from view. Secondly, and this is the real issue: Google developers should have been less naïve and realised that just because it’s not probable that an outsider will be able to view the URL of a Google Hangout, it doesn’t mean it’s a good idea to show the session identifier in plain text in the URL. They should have used a session cookie, which is not so obvious and oblivious to those who can see the screen of a Hangout user with a Hangout in progress.

Knowing the session identifier, anyone is able to join a Google Hangout without authorisation from anyone presently in the Hangout. Since I don’t use Google Hangouts, I don’t know if there exists a way to force authorisation before joining, showing video and speaking on a Hangout, but if there isn’t, this is an absolute failure of product security by design and requires urgent attention.


Leave a Reply