The embedded YouTube player told me what you were watching

by hackerpainon 1/18/2021, 4:02:34 PM with 13 comments
  • by taldoon 1/18/2021, 5:19:12 PM

    $1,337 for watch history + liked videos + watch later disclosure? Requires user to visit a malicious site, yes, but still feels a bit skimpy.

  • by neetodavidon 1/18/2021, 10:07:03 PM

    Its too bad (in a way...) they couldn't get private video IDs to leak. It would have made an impressive combination with their bug posted earlier this month (Stealing Your Private Youtube Videos, One Frame at a Time https://news.ycombinator.com/item?id=25728175)

    Speaking of... do security researchers sometimes just sit on their discoveries in hopes that they will eventually lead to a bigger payout? I would be kicking myself if I had reported a bug for a relatively small reward that I could have leveraged in combination with another discovery

  • by grishkaon 1/18/2021, 7:12:33 PM

    Yet another example of why the whole concept of third-party cookies does much more evil than good. Yet all major browsers keep them enabled by default.

  • by ummonkon 1/18/2021, 11:40:14 PM

    This was an extremely serious privacy issue, and it's shocking that they'd only award $1,337 for a bug of this scope.

  • by pcthrowawayon 1/18/2021, 9:58:08 PM

    I honestly feel like Google's award in this case is pathetic. This is an exploit which would be worth 100s of thousands, if not millions to the wrong people.

  • by AbuAssaron 1/18/2021, 6:17:12 PM

    That’s why I don’t browse the web while logged in google/fb/twitter. As I keep them in separated firefox containers

  • by gverrillaon 1/18/2021, 5:52:49 PM

    doesn't google employ the elite of world programming? how can such stuff even happen? honest question.

  • by intricatedetailon 1/18/2021, 11:53:12 PM

    Companies should stop exploiting developers. Instead of erecting another sky scraper they should start paying the fair share.

  • by buoon 1/18/2021, 11:08:58 PM

    My understanding is that the javascript in a web page executes in the client. How can the page owner obtain the video lists?

  • by anonymousiamon 1/18/2021, 9:16:21 PM

    I can see why Google might want to downplay this. Partner websites could obtain the history info directly from users and Google would not need to disclose the data sharing. I'm sure the watchlists/history would be valuable tools for profiling and advertising purposes.

  • by djrogerson 1/18/2021, 5:10:28 PM

    This is a bad link, not sure how it got upvoted when following it fails (there’s a trailing . after the domain). That’s kinda fishy...

    Correct link should be https://bugs.xdavidhu.me/google/2021/01/18/the-embedded-yout...

  • by kkotakon 1/18/2021, 7:09:13 PM

    He lost me at - Forgot to eat Pizza.

  • by layer8on 1/18/2021, 5:20:04 PM

    EDIT: never mind

    Should probably be (2019), as the bug has been fixed since (as noted at the bottom of TFA).