Cyber Security Researcher Exposes the Biggest Threat Regarding YouTube Users Privacy

David Schutz, a security researcher uncovered the potential unauthorized access to a user’s viewing history, favorites, and playlists by the threat actors. Threat actors manipulated the website and embedded a YouTube video to secure access to a user’s viewing history and playlists.
The world's most advanced processor in the desktop PC gaming segment Can deliver ultra-fast 100+ FPS performance in the world's most popular games 12 cores and 24 processing threads, bundled with the AMD Wraith Prism cooler with color controlled LED ... read more
(as of February 28, 2021 - More infoProduct prices and availability are accurate as of the date/time indicated and are subject to change. Any price and availability information displayed on [relevant Amazon Site(s), as applicable] at the time of purchase will apply to the purchase of this product.)
AMD's fastest 6 core processor for mainstream desktop, with 12 processing threads Can deliver elite 100+ FPS performance in the world's most popular games Bundled with the quiet, capable AMD Wraith Stealth cooler 4.6 GHz Max Boost, unlocked for overc... read more
(as of February 28, 2021 - More infoProduct prices and availability are accurate as of the date/time indicated and are subject to change. Any price and availability information displayed on [relevant Amazon Site(s), as applicable] at the time of purchase will apply to the purchase of this product.)
System ram type: DDR4_sdram
(as of February 28, 2021 - More infoProduct prices and availability are accurate as of the date/time indicated and are subject to change. Any price and availability information displayed on [relevant Amazon Site(s), as applicable] at the time of purchase will apply to the purchase of this product.)
Threat actors managed to earn $1,337 via the security bug, Schutz explained that he discovered the vulnerabilities by linking two things – in a somewhat “unexpected” manner. Website developers utilize YouTube embedded player to embed videos into their own site and this player also has a feature known as API (Application Programming Interface).
API lets users embed functions commonly executed on YouTube into their personal website or application. API also allows the users to retrieve, insert, delete or update many of these resources. A resource constitutes a kind of item that comprises part of the YouTube experience which includes loading a new video or playlist, subscription, play/pause the player.
Every user on YouTube has a few personal playlists, for example, the playlist with the ID ‘HL’ comprises the user’s viewing history and the ID with ‘WL’ contains the user’s view later and so on.
David Schutz explained the vulnerabilities via blog post: “Since the YT embedded player is also logged in to YT, a malicious website could have embedded a player, instructed it to play e.g., the ‘HL’ playlist (which would start playing the currently visiting user’s watch history), and get the contents of the playlists using the API the embedded player has, thereby stealing the watch history of the user who opened the website”.
“The attacker could also have prepared a page for a specific victim, which when opened by that victim, would steal the victim’s unlisted videos (which otherwise would require knowing the ID to watch). The main issue was that you were able to load private playlists into the player in the name of the victim, and later steal the contents of those private playlists,” the post further read.
If you like the site, please consider joining the telegram channel or supporting us on Patreon using the button below.