[petters]

It's pretty interesting that YouTube offers such a huge surface area for processing user-uploaded files. Some of those obscure formats should have a security flaw.

But the ffmpeg processes are surely sandboxed with seccomp or similar, so it probably does not matter at all.

[dkh]

The best ffmpeg-based video platform exploit I've ever seen was this one [1] where a user could upload a specially-doctored video to your YouTube-esque platform and while encoding it would trick ffmpeg into reading system files on the server and baking them into the encoded output.

Literally the hacker would upload a video, wait for it to encode, and then once it was available for viewing on the website, they'd be looking at a video containing the text from `/etc/passwd` or your envvars or some secrets file or whatever.

Yes, most encoding services are very well-sandboxed and even when our tiny streaming platform at the time got hit by this when it was first appeared a few years ago, it was a non-issue because there was nothing valuable or compromising on the encode servers for them to read. (I think Ubuntu AppArmor stopped it dead in its tracks on its own, anyway.)

[0] https://docs.google.com/presentation/d/1yqWy_aE3dQNXAhW8kxMx...

[franga2000]

At their scale, they're almost certainly running entire racks' worth of servers entirely dedicated to just transcoding video and only able to access input and output files.

(quite likely, those are all actually virtual through some auto-scaling IaaS magic)