Security News > 2021 > January > How I found a bug in YouTube that let me watch private videos I wasn't allowed to, says compsci student

Until early last year, Google's YouTube had a security flaw that made private videos visible at reduced resolution, though not audible, to anyone who knew or guessed the video identifier and possessed the technical knowledge to take advantage of the snafu.

On Monday, Schütz published his account of how he found the bug, which resided in a system called Moments that was intended to allow advertisers to mark a specific frame in the video, such as the appearance of a brand-relevant image.

Schütz found that the act of marking a Moment in a video generated a POST request to the /GetThumbnails endpoint and returned a base64-encoded thumbnail image from the video.

It turned out that if you made such a network request using the identifier of a private video, the ad tool would still fetch a thumbnail image.

"I searched for some calculations, and figured out that if the video is in 24 FPS, one frame stays on the screen for 33 milliseconds. So I just have to download every image starting from 0 milliseconds, incrementing by 33 milliseconds every time, and then construct some kind of video using all of the images I have acquired."

For his efforts, Schütz was awarded a $5,000 bug bounty in January, 2020, in accordance with Google's VRP. That, incidentally, was the amount the company paid in 2015 to security researcher Kamil Hismatullin after he reported a bug that made it possible for anyone to delete anyone else's videos.

News URL

https://go.theregister.com/feed/www.theregister.com/2021/01/12/youtube_video_vulnerability/