Please disable your adblock and script blockers to view this page

Stealing Your Private YouTube Videos, One Frame at a Time


YouTube
HTTP
Google Ads
ID
IDOR
Insecure Direct Object Reference
Python
POC
GIF


YouTube
Videos
response!I

No matching tags


Analytics

No matching tags

No matching tags

No matching tags

Positivity     46.00%   
   Negativity   54.00%
The New York Times
SOURCE: https://bugs.xdavidhu.me/google/2021/01/11/stealing-your-private-videos-one-frame-at-a-time/
Write a review: Hacker News
Summary

(Remember, always only test against resources/accounts you own!) If I can find a way to access that video with my first testing account, we have a bug.With my first account, I started using YouTube, trying every feature, pressing every button I could find, and whenever I saw an HTTP request with a video ID in it, I changed it to the target Private video, hoping that I can leak some information about it, but I wasn’t really getting any success. The main YouTube site (at least the endpoints I have tested), seems to always check if the video was Private or not, and when trying to request info about the target Private video, they always returned errors such as This video is private!.I needed to find another way.A great thing to do in a situation like this, is to try to look for other products/services which are not your main target, but are somehow interacting with its resources internally. During the ad creation process, I also tried to use the target Private video’s ID wherever I could, but no success.After creating the ad, I started looking at all of the different Google Ads features.

As said here by