YouTube bug let hackers impersonate any user

And you thought YouTube comments couldn't get any worse.

Mar 1, 2020, 5:47 am*

Tech

Patrick Howell O'Neill 

Patrick Howell O'Neill

YouTube comment sections are infamous as the most inane and nonsensical corners of the Internet. Maybe messing with them isn’t such a bad idea.

A pair of hackers recently discovered a vulnerability in YouTube’s code that allowed them to move, copy, and impersonate YouTube commenters without anyone being notified at all. (Perhaps that helps explain why the discussion on YouTube make so little sense.)

The bug, illustrated in a video below, allows anyone to easily steal comments and place them on a separate video at will.

The hackers, Ahmed Aboul-Ela and Ibrahim M. El-Sayed, earned $3,133.70 from Google for reporting the vulnerability, according to Aboul-Ela.

“Imagine for instance a celebrity or public figure leaving a comment on some video on YouTube saying, ‘Wow, This is an Amazing Video.’ You then come along, exploit that vulnerability, and quite simply make this comment appear on your own video instead,” Aboul-Ela wrote in a blog post.

The bug was found by looking at YouTube’s “report comment” feature. The feature leaks data, including the “video_id” and “comment_id.” By merely changing the comment_id, you can move any comment from anywhere on YouTube to any other video.

The entire process took six days from the bug being reported on March 25 to the reward being received on March 31.

A YouTube bug found earlier this month allowed a hacker to delete any video he pleased. For his trouble, that hacker earned just $1,337.

Illustration by Max Fleishman

Share this article
*First Published: Apr 16, 2015, 8:37 am