YouTube bug let hackers impersonate any user

And you thought YouTube comments couldn’t get any worse.

YouTube comment sections are infamous as the most inane and nonsensical corners of the Internet. Maybe messing with them isn’t such a bad idea.

A pair of hackers recently discovered a vulnerability in YouTube’s code that allowed them to move, copy, and impersonate YouTube commenters without anyone being notified at all. (Perhaps that helps explain why the discussion on YouTube make so little sense.)

The bug, illustrated in a video below, allows anyone to easily steal comments and place them on a separate video at will.

The hackers, Ahmed Aboul-Ela and Ibrahim M. El-Sayed, earned $3,133.70 from Google for reporting the vulnerability, according to Aboul-Ela.

“Imagine for instance a celebrity or public figure leaving a comment on some video on YouTube saying, ‘Wow, This is an Amazing Video.’ You then come along, exploit that vulnerability, and quite simply make this comment appear on your own video instead,” Aboul-Ela wrote in a blog post.

The bug was found by looking at YouTube’s “report comment” feature. The feature leaks data, including the “video_id” and “comment_id.” By merely changing the comment_id, you can move any comment from anywhere on YouTube to any other video.

The entire process took six days from the bug being reported on March 25 to the reward being received on March 31.

A YouTube bug found earlier this month allowed a hacker to delete any video he pleased. For his trouble, that hacker earned just $1,337.

Illustration by Max Fleishman

Patrick Howell O'Neill

Patrick Howell O'Neill

Patrick Howell O'Neill is a notable cybersecurity reporter whose work has focused on the dark net, national security, and law enforcement. A former senior writer at the Daily Dot, O'Neill joined CyberScoop in October 2016. I am a cybersecurity journalist at CyberScoop. I cover the security industry, national security and law enforcement.