It was late June when I received an invitation to test out a new product from YouTube: a video building tool that made it easy to put together advertisements with custom fonts and logos.

The email I got notifying me of the beta.

I don’t know where they got my information — I must have touched every Trusted Tester form on the web — but it presented an opportunity. New products aren’t usually as hardened against attacks. When I tried logging into the website a day after requesting access, to my surprise, it let me in. …

Anyone trying to find or exploit vulnerabilities on the web has likely needed to pose as a client before. In order to find flaws in a web service, you need at least a basic understanding of how the client talks to the server and vice versa, so that you can later send your own crafted requests. But modern protocols and data structures aren’t always easy on the middle man.

For most of its major web apps, Google uses a batch-style RPC system that can be spotted by its common slug: batchexecute. …

Ryan Kovatch

I'm a web security researcher participating in the Google VRP in my free time.

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store