The author claims to have found a vulnerability in YouTube's systems that allows retrieval of the email address associated with any YouTube channel for a $10,000 bounty. They describe a process involving crafting specific playlist URLs and exploiting how YouTube handles playlist sharing and unlisted videos to ultimately reveal the target channel's email address within a Google Account picker. While they provided Google with a proof-of-concept, they did not fully disclose the details publicly for ethical and security reasons. They emphasize the seriousness of this vulnerability, given the potential for targeted harassment and phishing attacks against prominent YouTubers.
This blog post, titled "Leaking the email of any YouTube user for $10,000," details a purported vulnerability within the YouTube platform that could theoretically allow an attacker to uncover the email address associated with any given YouTube user account. The author, identified as "Brutecat," outlines a complex, multi-stage process leveraging several seemingly innocuous features of the YouTube platform. This process does not involve any hacking in the traditional sense, but rather exploits a series of interconnected functionalities to deduce the target's email address.
The core of the vulnerability revolves around the ability to invite users to collaborate on a private video. When such an invitation is sent, the recipient receives a notification containing the obfuscated email address of the sender. This obfuscation takes the form of replacing characters in the email address with asterisks, leaving only the first and last characters, as well as the domain name, visible.
Brutecat posits that by strategically creating multiple accounts with slight variations in the email address and sending collaboration invitations from these accounts to the target user, an attacker could gather enough information from the resulting obfuscated email notifications to reconstruct the full email address of the target. This is achievable due to the consistent placement of the asterisks, which reveal the length of the email address and the position of the known characters. By iteratively refining the guess of the email address and observing the resulting obfuscated versions, the attacker could systematically eliminate incorrect guesses and eventually pinpoint the precise email address.
The author emphasizes that the cost mentioned in the title, $10,000, is a hypothetical bounty that they would demand from Google to disclose this vulnerability responsibly. This figure underscores the perceived severity of the vulnerability and the potential impact it could have on user privacy. The author argues that this vulnerability is particularly concerning because it can be exploited against any YouTube user, regardless of their privacy settings or security practices. The process, while laborious and time-consuming, is theoretically feasible and requires no specialized technical skills, making it accessible to a wider range of potential attackers. Finally, the author notes that this vulnerability highlights the potential risks associated with seemingly benign platform features and underscores the importance of thorough security testing and vulnerability analysis.
Summary of Comments ( 350 )
https://news.ycombinator.com/item?id=43024221
HN commenters largely discussed the plausibility and specifics of the vulnerability described in the article. Some doubted the $10,000 price tag, suggesting it was inflated. Others questioned whether the vulnerability stemmed from a single bug or multiple chained exploits. A few commenters analyzed the technical details, focusing on the potential involvement of improperly configured OAuth flows or mismanaged access tokens within YouTube's systems. There was also skepticism about the ethical implications of disclosing the vulnerability details before Google had a chance to patch it, with some arguing responsible disclosure practices weren't followed. Finally, several comments highlighted the broader security risks associated with OAuth and similar authorization mechanisms.
The Hacker News post titled "Leaking the email of any YouTube user for $10,000" generated a moderate amount of discussion, with a number of commenters expressing skepticism and raising practical questions about the claims made in the linked article.
Several commenters questioned the feasibility of the exploit described in the article. They pointed out that obtaining an email address for $10,000 seems excessively expensive, especially considering the lack of clarity regarding the type of account being targeted (e.g., a regular user vs. a high-value brand account). Some suggested that simpler and cheaper methods might exist for obtaining such information, depending on the target.
One commenter expressed doubt about the legality of offering such a service, suggesting that it could potentially violate privacy laws like GDPR.
Another commenter highlighted the lack of technical details in the article, making it difficult to assess the validity of the claimed exploit. This commenter also wondered about the author's motivation for publishing the article without disclosing more information.
Some users discussed the potential implications of the exploit, with one suggesting that even if true, it might not be particularly impactful for most users. They pointed out that many YouTube accounts are already linked to publicly known Google accounts, making their email addresses relatively easy to discover.
Several commenters focused on the article's claim about being able to determine the subscriber count of private videos. They questioned the usefulness of this information, given that private videos aren't publicly visible.
Finally, a few comments touched upon the ethical implications of the described service and the broader issue of vulnerabilities in online platforms.
Overall, the comments on Hacker News largely reflect a critical and cautious response to the claims made in the article, with many users expressing doubts about its feasibility, practicality, and overall significance. The discussion focused on the high cost of the service, the lack of technical details, and the potentially limited impact of the described exploit.