Please note that this article discusses a live security risk. It is advised that, for now, readers do not click on links from the YouTube page on which The Tomorrow War trailer appears.
I am not a security expert, just a web-savvy writer, but I have had multiple, independent, and equally web-savvy confirm that unexpected and undesirable behaviour occurs.
Yesterday, Prime Video posted to YouTube a trailer for Chris Pratt’s sci-fi The Tomorrow War.
The video has now been seen over 4 million times, not all of them from YouTube but from embedded videos on sites like Geek Native.
Viewers on YouTube have the option to read more, clicking on a panel to reveal a section titled “Get More Prime Video”, which includes links to where to stream it now, Facebook, Twitter and Instagram.
These links appear to be Bitly URLs. Bitly is a popular URL shortener and is used here by Prime Video to make the URLs a bit more friendly on the eye and potentially be remembered and typed into the browser directly.
In some circumstances (desktop and Chrome browser), those clicks do not take readers to the pages that Prime Video intended. Instead, these clicks appear to be hijacked to a traffic site that earns money and may install malicious scripts with passthrough traffic.
Clicks from the YouTube page do not immediately go to these HTTP (and not HTTPS) Bitly URLs. First, they are redirected by YouTube via a URL like https://www.youtube.com/redirect?event=video_description&redir_token=
The destination of the redirect is then attached with one final query string varaible and value pair q=http%3A%2F%2Fbit.ly%2FWatchMorePrimeVideo%E2%80%8B%E2%80%8B
.
It looks like the hackers have managed to insert themselves into this process, perhaps also making their click conditional to certain situations (such as seeing the YouTube referrer header).
All parties involved have good reputations; hacks on either Amazon and Google are incredibly rare. Bitly, often targeted, has defences, and it is generally safe to click on a Bitly link.
Despite successful third-party verification, it is also possible that a compromised browser or extension is responsible for the clickjacking. I urge caution.
Update: 13:30, 27th May
Could a simple copy-paste error be responsible for the apparent clickjacking? One theory suggests so!
As noted, the q= redirect at the end of the YouTube redirect includes the final URL. In the example, the string “%E2%80%8B%E2%80%8B” is visible right at the end, after /WatchMorePrimeVideo.
When those characters are included and not stripped out, then the “bad links” click in.
This is a known side effect of using a rich-text word processor like MS Word or WordPad to copy and paste links. Here’s a Stack Overflow article discussing the phenomena.
Take part in the community by leaving an interesting comment below.