Stealing Your Private YouTube Videos, One Frame at a Time

Last modified on January 11, 2021

Befriend in December 2019, a couple of months after I began hacking on Google VRP, I become as quickly as taking a leer at YouTube. I wanted to salvage a method to win win entry to to a Non-public video which I did now not get.

If you occur to add a video to YouTube, you may interact between Three privateness settings. Public, that method that any particular person can salvage and discover your video, Unlisted, which absolute prime permits customers who know the video ID (the URL) to discover the video, and Non-public, the place absolute prime you may discover the video, or different accounts you’ve explicitly given permission to cease so.

Very very first thing I did become as quickly as to add a video to my 2nd discovering out fable’s YouTube channel, and blueprint the video’s privateness to Non-public, so I'll use that video for finding out. (Be conscious, repeatedly absolute prime check towards sources/accounts you get!) If I'll salvage a method to win entry to that video with my first discovering out fable, we get now a computer virus.

With my first fable, I began using YouTube, trying every characteristic, urgent every button I may salvage, and at any time when I seen an HTTP search recordsdata from with a video ID in it, I modified it to the goal Non-public video, hoping that I'll leak some information about it, however I wasn’t primarily getting any success. The first YouTube dispute (at the least the endpoints I even get examined), seems to repeatedly take a look at if the video become as quickly as Non-public or now not, and when making an attempt to search recordsdata from knowledge regarding the goal Non-public video, they repeatedly returned errors just like This video is inside most!.

I wanted to salvage yet another method.

A immense factor to cease in a ache fancy this, is to take a leer at to acknowledge different merchandise/services and products which are now not your foremost goal, however are in some way interacting with its sources internally. In the event that they've win entry to to its sources, it'll even be that you'd probably deem that they don’t get every stage of security that the principle product has.

A participating goal which matched these necessities become as quickly as Google Commercials. Right this is the product which advertisers use to create advertisements throughout all Google services and products, alongside aspect YouTube. So, the advertisements you win previous to YouTube movies are blueprint up by advertisers proper right here, on the Google Commercials platform.

So I created a Google Commercials fable, and created a novel commercial, which might play a video of mine as a skippable advert for YouTube customers. All by scheme of the advert creation exercise, I furthermore tried to make use of the goal Non-public video’s ID wherever I may, however no success.

After growing the advert, I began taking a leer at all of fully totally different Google Commercials elements. The article become as quickly as immense, it had a bunch of fully totally different settings/instruments. I become as quickly as trying to salvage one thing else that may be YouTube-associated.

There become as quickly as a internet web page often known as Videos, the place I may acknowledge a itemizing of movies gentle by my advertisements. Clicking on a video unfolded an Analytics portion for that particular person video. It had an embedded participant, some statistics, and an attention-grabbing characteristic often known as Moments. It allowed advertisers to “designate” specific moments of the video, to leer when a great deal of points occur (just like the timestamp of when the agency impact seems). To be actual I'm now not considerably sure what advertisers use this characteristic for, on the greater than a couple of hand, it appeared attention-grabbing:

The Moments feature on the Ads console

Taking a get a study the proxy logs, at any time when I “marked a 2nd”, a POST search recordsdata from become as quickly as made to a /GetThumbnails endpoint, with a physique which built-in a video ID:

POST /aw_video/_/rpc/VideoMomentService/GetThumbnails HTTP/1.1
User-Agent:  Web-Explorer-6
Cookie:  [redacted]


Where inside the __ar parameter, 1 become as quickly because the ID of the video and 2 become as quickly because the time of the 2nd in milliseconds. The response become as quickly as a unpleasant64 encoded picture, which become as quickly because the thumbnail displayed by Commercials.

I did what I did a bunch of instances already, and modified the ID to my 2nd fable’s Non-public video inside the search recordsdata from, and to my shock, it returned a unpleasant64 response!

I quickly Googled “unpleasant64 to picture”, and pasted the unpleasant64 into the primary decoder I discovered, and it displayed a thumbnail from the goal Non-public video! It labored! I even get discovered a working IDOR (Terrified Train Object Reference) computer virus, the place I may win a body from any inside most video on YouTube!

Nevertheless I become as quickly as fancy “hm, that's good one body”. We can cease higher.

I wanted to create a proof of opinion Python script which generates an real, transferring “video”. I regarded for some calculations, and discovered that if the video is in 24 FPS, one body stays on the show conceal for 33 milliseconds. So I good get to fetch every picture ranging from 0 milliseconds, incrementing by 33 milliseconds at any time when, after which win some roughly video using the entire images I even get acquired.

I wrote a fast and dirty POC which downloaded the frames for the primary Three seconds of a video, decoded them, after which generated a GIF. To envision it, I even get ran it towards an gentle video of mine, which I had beforehand privated ensuing from, indubitably, the excessive stage of flinch:

And there you get it, using this computer virus, any inside most YouTube video may want been downloaded by a malicious attacker, which to me feels fancy a pretty frigid have an effect on. Nevertheless indubitably, it had a couple of limitations I couldn’

Read More

Similar Products:

Recent Content