Resources

People often ask me "How did you learn how to hack?" The answer: by reading. This page is a collection of the blog posts and other articles that I have accumulated over the years of my journey. Enjoy!

YouTube (who is owned by Google) has the ability to use three settings on YouTube video publicity: Public (what is sounds like), Unlisted (not in search but can be found via a direct link) and Private (only my account has access).

The general idea of this attacker was trying to view Private videos on YouTube in some way. The author of the article was mostly hunting for insecure direct object reference (IDOR) bugs that allowed access to a private video.

From testing all of the YouTube endpoints of the, none of this worked. But, what about other services that would have access to the internals of YouTube? As stated above, YouTube is owned by Google.

It turns out that Google Ads can take in video Ids and use them on ads services! This seems like an interesting place to look for an IDOR.

After testing several of the YouTube video based APIs on, Google Ads the author tested the /GetThumbnails API. And it sends back a base64 encoded blob, which was a frame of the Private video!

After discovering this single frame IDOR, the author wrote a script to steal the entire video (frame by frame). Of course, because this was a thumbnail, no audio can be heard. Additionally, the video ID must be known.

I really enjoyed the cross service aspect of this attack. This is something that I will definitely need to consider in the future.