David Schutz, self-proclaimed “bug hunter” in Hungary, found a flaw in YouTube’s embedded player that could have enabled anyone to view another person’s watch list and access the content of their playlists using the player’s API.
The flaw provided an entry point to reach the data and would have allowed a hacker to steal the watch history and data from public and private videos of the user who opened the website. Finding the security bug earned Schutz a $1,337 bounty from Google.
This would have affected anyone who uses YouTube -- from brands to influencers -- to store sensitive or public information such as strategy or focus, in the form of a video.
If the attacker prepared a page for a specific person on a website, they could have stolen an extensive list of information in addition to the watch list. Some of that data includes "liked" videos, private playlists, titles and other information from private business and personal videos uploaded to the site, as well as unlisted videos that are specifically intended for select people.
Schutz likes the challenge of finding the bugs and determining how to fix them. “I like [the part about stealing the unlisted videos] the most since a lot of people use unlisted videos to share personal/not-public videos with only specific people,” he wrote. “I’m also doing this, all of the POC videos I send to Google are unlisted videos, and I would consider them pretty sensitive.”
Schutz went on to explain that at the time of finding this bug, embedding the uploads playlist worked a bit differently than he expected.
“Previously I have said that the owner can see all of the videos in this playlist, despite the privacy settings,” he wrote. “This is still almost the case, but when an ‘Uploads’ playlist was embedded, the owner only saw the Public and the Unlisted videos in it, the Private videos were omitted.”
The only thing that keeps Unlisted video private is its video ID, he wrote. Stealing all of the unlisted video IDs allows the hacker watch the victim’s unlisted videos.
The issue is now fixed, Schutz wrote.