How I found a bug in YouTube that let me watch private videos I wasn't allowed to, says compsci student

Until early last year, Google's YouTube had a security flaw that made private videos visible at reduced resolution, though not audible, to anyone who knew or guessed the video identifier and possessed the technical knowledge to take advantage of the snafu.

The bug was fixed in January 2020, after it was identified in December, 2019, by David Schütz, a computer science student at the University of Szeged in Hungary, and reported to Google through the company's Vulnerability Rewards Program (VRP).

On Monday, Schütz published his account of how he found the bug, which resided in a system called Moments that was intended to allow advertisers to mark a specific frame in the video, such as the appearance of a brand-relevant image.

Schütz found that the act of marking a Moment in a video generated a POST request to the /GetThumbnails endpoint and returned a base64-encoded thumbnail image from the video. And it turned out that if you made such a network request using the identifier of a private video, the ad tool would still fetch a thumbnail image.

At that point, Schütz reasoned that he might be able to use the Insecure Direct Object Reference, or IDOR, that he had identified to request a series of individual frames and combine them into a sequence that approximates the original video.

"I wanted to make a proof of concept Python script which generates an actual, moving 'video,'" he explained in his writeup. "I searched for some calculations, and figured out that if the video is in 24 FPS, one frame stays on the screen for 33 milliseconds. So I just have to download every image starting from 0 milliseconds, incrementing by 33 milliseconds every time, and then construct some kind of video using all of the images I have acquired."

It worked. Schütz was able to download thumbnails for a sequence of frames that could be reassembled and played back. And he made a video of that process which you can see below:

Schütz acknowledges that the technique has limitations – thumbnails images yield a low-resolution reconstruction, there's no audio track captured, and you have to supply the identifier of the private video to be fetched – something not easily guessed.

But he notes that the flaw underscores the value of looking at how adjacent systems interact. In this case, YouTube's developers overlooked the security and privacy implications of the Moments feature.

For his efforts, Schütz was awarded a $5,000 bug bounty in January, 2020, in accordance with Google's VRP. That, incidentally, was the amount the company paid in 2015 to security researcher Kamil Hismatullin after he reported a bug that made it possible for anyone to delete anyone else's videos. ®