Leaking the email of any YouTube user for $10,000 (Brutecat)

Original link: Leaking the email of any YouTube user for $10,000

My notes

This is the kind of hack I love reading about. As a hobbyist developer, it reinforces the idea that no security is ever enough. The only way to protect yourself is to stay small and niche so you either have no users or be not interesting enough a target for hackers.

So, if you block someone on YouTube, you can leak their Google account identifier? I tested it out. I went to a random livestream, blocked a user and sure enough, it showed up in https://myaccount.google.com/blocklist

That params is nothing more than just base64 encoded protobuf, which is a common encoding format used throughout Google. If we try decoding that moderateLiveChatEndpoint params … It actually just contains the Gaia ID of the user we want to block, we don’t even need to block them!

Hilarious. You would think a Google engineer would write better code functionality than this but you forget the law of large organisations: anything and everything will only ever be as good as the project manager pulling the strings. And it is project managers all the way down 🐢

Reminds me of the time I was reverse engineering an API for a data scraping project and discovered that the captcha solution was saved as a data attribute and could be entirely by-passed by setting a truthy flag in the POST request.

In situations like these, I say you get what you pay for. But Google seemingly pays a lot, doesn’t it? That’s why their vulnerability is a bit more sophisticated than the captcha.

Ho hum. So it goes.