Leaking YouTube creators' private videos
Vulnerability and attack mechanics
- Attack uses YouTube Studio’s AI comment summarizer: a malicious comment embeds instructions that cause the LLM to prepend an official‑looking notice and output an attacker‑controlled link.
- The link’s query parameter is filled with channel metadata the LLM can see (e.g., a video title, potentially from private/unlisted videos). When clicked, this leaks that data to the attacker’s server.
- Some users tested and could not reproduce; others report it appears quietly fixed (e.g., no links, or AI warns about phishing‑like comments).
Debate over severity and classification
- One camp: this is a real vulnerability because:
- Untrusted user input (comments) can influence trusted UI output (Studio AI).
- Links appear to originate from YouTube, lowering suspicion.
- LLM non‑determinism plus YouTube’s scale means even low‑probability success is dangerous.
- Other camp: impact is limited:
- Requires the creator to click a suspicious link; akin to classic phishing.
- Only leaks titles or unlisted URLs, not video content; private videos remain access‑controlled.
- Example PoC as written may assume knowledge it claims to exfiltrate.
Prompt injection, LLM limits, and mitigations
- Many argue prompt injection is fundamentally unfixable: LLMs don’t truly separate “data” from “instructions.”
- Suggested mitigations:
- Strip or neutralize links/HTML/Markdown in LLM input and output.
- Don’t give summarization agents access to private channel data or tools.
- Use separate LLM instances or “patterns” to isolate untrusted content.
- Add framing/warnings that AI responses may include user‑generated content.
- Others are skeptical that role boundaries or monitor‑LLMs can reliably stop attacks; see it as an arms race.
Google/YouTube incentives and bug bounty handling
- Some former and current Googlers describe internal incentives (promo/GRAD) that favor new features over fixing subtle bugs.
- Others counter that VRP severity is set by specialized security teams and that Google generally has good security culture but is overwhelmed by low‑quality, often AI‑generated reports.
- Several commenters note a pattern: reports labeled “not a bug” then quietly patched, undermining researchers’ trust and bug‑bounty incentives.
Trust, social engineering, and broader risks
- Even if technically “just” social engineering, the platform is:
- Laundering attacker instructions through YouTube’s authority (“IMPORTANT NOTICE FROM YOUTUBE”).
- Creating new phishing surfaces (fake billing, account actions, misdirected voting info, etc.).
- Commenters stress that average creators are unlikely to distinguish AI‑generated warnings from real platform messages, making this a serious creator‑trust and safety issue.