Now that we know about YouTube, this is what I think is happening. The YouTube app on the 3DS is just a glorified browser, however that browser is not updated as regularly as the one bundled with the 3DS. It connects to YouTube via a HTTP (not HTTPS) connection, allowing it to be intercepted and changed. The easiest way to do that would be to configure a DNS server on the 3DS's connection that redirects all requests to a different IP address (assuming that the app is connecting via a domain. otherwise a proxy would have to be used). The new page contains an exploit that only works on the YouTube app, however it might not have as many privileges as Ninjhax. Therefore, the YouTube hack is used to run TDVS which injects a save into an game with more privileges (Ironhall), which can then be used to run homebrew.
This could all be wrong, but this is how I theorise it will work.
This could all be wrong, but this is how I theorise it will work.