Leaking YouTube creators' private videos

Vulnerability and attack mechanics

  • Attack uses YouTube Studio’s AI comment summarizer: a malicious comment embeds instructions that cause the LLM to prepend an official‑looking notice and output an attacker‑controlled link.
  • The link’s query parameter is filled with channel metadata the LLM can see (e.g., a video title, potentially from private/unlisted videos). When clicked, this leaks that data to the attacker’s server.
  • Some users tested and could not reproduce; others report it appears quietly fixed (e.g., no links, or AI warns about phishing‑like comments).

Debate over severity and classification

  • One camp: this is a real vulnerability because:
    • Untrusted user input (comments) can influence trusted UI output (Studio AI).
    • Links appear to originate from YouTube, lowering suspicion.
    • LLM non‑determinism plus YouTube’s scale means even low‑probability success is dangerous.
  • Other camp: impact is limited:
    • Requires the creator to click a suspicious link; akin to classic phishing.
    • Only leaks titles or unlisted URLs, not video content; private videos remain access‑controlled.
    • Example PoC as written may assume knowledge it claims to exfiltrate.

Prompt injection, LLM limits, and mitigations

  • Many argue prompt injection is fundamentally unfixable: LLMs don’t truly separate “data” from “instructions.”
  • Suggested mitigations:
    • Strip or neutralize links/HTML/Markdown in LLM input and output.
    • Don’t give summarization agents access to private channel data or tools.
    • Use separate LLM instances or “patterns” to isolate untrusted content.
    • Add framing/warnings that AI responses may include user‑generated content.
  • Others are skeptical that role boundaries or monitor‑LLMs can reliably stop attacks; see it as an arms race.

Google/YouTube incentives and bug bounty handling

  • Some former and current Googlers describe internal incentives (promo/GRAD) that favor new features over fixing subtle bugs.
  • Others counter that VRP severity is set by specialized security teams and that Google generally has good security culture but is overwhelmed by low‑quality, often AI‑generated reports.
  • Several commenters note a pattern: reports labeled “not a bug” then quietly patched, undermining researchers’ trust and bug‑bounty incentives.

Trust, social engineering, and broader risks

  • Even if technically “just” social engineering, the platform is:
    • Laundering attacker instructions through YouTube’s authority (“IMPORTANT NOTICE FROM YOUTUBE”).
    • Creating new phishing surfaces (fake billing, account actions, misdirected voting info, etc.).
  • Commenters stress that average creators are unlikely to distinguish AI‑generated warnings from real platform messages, making this a serious creator‑trust and safety issue.