back to article How I found a bug in YouTube that let me watch private videos I wasn't allowed to, says compsci student

Until early last year, Google's YouTube had a security flaw that made private videos visible at reduced resolution, though not audible, to anyone who knew or guessed the video identifier and possessed the technical knowledge to take advantage of the snafu. The bug was fixed in January 2020, after it was identified in December …

  1. Mike 137 Silver badge

    "YouTube's developers overlooked the security and privacy implications of the Moments feature"

    How about "YouTube's developers never even considered the security and privacy implications of the Moments feature"?

    Trying to be secure but doing it imperfectly is dramatically less common than entirely ignoring security. It's not the developer's problem or the service provider's - it only affects the users, so who cares? All that's needed is to 'take their security seriously' after the fact.

  2. Anonymous Coward
    Anonymous Coward

    $5000 seems unwisely stingey. There's probably more to be had selling flaws into the black market.

    1. DavCrav

      "$5000 seems unwisely stingey. There's probably more to be had selling flaws into the black market."

      Should the black market not always add a premium, since you're committing a crime? I wouldn't say 'This murderer is offering me £1 more than that chef for my knife. I'll go with the murderer."

      1. doublelayer Silver badge

        The black market may add that premium, but it's a lot easier to sell something to the black or gray markets than it is to sell a knife to a murderer, and if you're prone to rationalizing, there are people who might use an exploit purchased on the black market for purposes you don't consider evil. For example, there are people who will pay a lot for IOS exploits. Some of these are creepy companies or governments who want to break into citizens' equipment, but another category is people who want to jailbreak. So Apple probably has to offer quite a bit of money to compete not only with malicious people willing to spend a lot of money, but also people who aren't as unsympathetic. Another reason it's different is that selling an exploit isn't illegal unless you know or have a strong enough suspicion that it will be used for illegal purposes. Using the same example, it's not illegal to jailbreak a phone, so it's not illegal to sell an exploit to people who will use it to jailbreak a phone. A lot of ethical researchers will never consider selling exploits, but there are many researchers who might not mind so much. Companies who don't want to see others with the exploits would be well-advised to consider price competitiveness.

        1. DavCrav

          "Another reason it's different is that selling an exploit isn't illegal unless you know or have a strong enough suspicion that it will be used for illegal purposes."

          It's not technically illegal, but if caught doing so you will likely be in a lot of trouble, even if, at the end, being found not guilty. And you had better make sure you comply with all the money laundering regulations, so you need to know that you are selling it to genuine companies and getting paid with traceable, over-the-counter currency. Anyone paid in BTC will have difficulty convincing anyone that they didn't know it was dodgy.

          "Companies who don't want to see others with the exploits would be well-advised to consider price competitiveness."

          Ah, blackmail.

  3. MrBanana
    Joke

    Video of exploit

    So he produced a video of the exploit, and then uploaded it to YouTube. Did he mark it as private?

  4. Anonymous Coward
    Anonymous Coward

    At least they acknowledged that there was a flaw and fixed it....rather than the seemingly more common attitude of denying there's a problem (threatening to sue is optional) then waiting until there's a massive exploit, closely followed by "taking steps" to "ensure it doesn't happen again"

    1. Anonymous Coward
      Anonymous Coward

      Don't forget "expressing regret" and "assuring customers that we take safeguarding your data seriously".

      1. mikepren

        And denying that the looked data has actually been used

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Other stories you might like