In December 2019, a hacker called David schütz a few months after he started hacking into the Google VRP program, a program for developers looking for bugs in Google’s system, he found himself looking at Youtube. David, I wanted to find a way to get access to a video that you didn’t own, that was in private, we will tell you how he did it.
Through Google Ads he managed to hack the system
When you upload a video to YouTube, you can select from 3 privacy settings. To find a way to find a vulnerability in Google’s system, the first thing he did was upload a video to the YouTube channel of his second test account, and set the privacy of the account. With his first account, he started using YouTube, testing every feature, hitting every button he could find, and every time he saw an HTTP request with a video ID on it, he would switch it to the target video, hoping he could filter a certain information about it, but it really wasn’t having any success.
Finally found a security hole through Google Ads. This is the portal where advertisers use to create ads on all Google services, including YouTube. Therefore, the ads you receive before advertisers set up YouTube videos here on the Google Ads platform. So I create a Google Ads account and create a new ad, which would play a video of yours as a skippable ad for YouTube users. After creating the ad, you started to see all the different Google Ads features.
Finally, after lengthy checks found a vulnerable piece of code with which to access the target private video the one he wanted to attack, even though he ran into a problem, that he couldn’t get sound from it. Using this bug, any private YouTube video could have been downloaded by a malicious attacker, which feels like a pretty cool hit to me. But of course it had some limitations that I couldn’t get over:
- In the real world you would have to know the ID of the target video
- Since these are only images, the audio cannot be accessed.
- The resolution is very low.
Google rewarded you for finding and reporting the vulnerability
As part of the discovery, the developer obtained through the program Google Vulnerability Reward Program (VRP), in Spanish Google Vulnerability Reward Program a reward of $ 5000.