Leaking the email of any YouTube user for $10,000
159 comments
·February 12, 2025tptacek
edanm
I don't remember if I've ever thanked you for the dose or reality you bring to these discussions, but if not - thank you! Before I started reading your comments on bug bounty payouts I'd probably have made the typical thoughtless (in my case) remark that the bounties are tiny, without actually thinking through the realistic dollar value of bugs found.
Not to mention not really thinking through how obviously stupid it is to immediately compare a legal activity to a highly illegal one, as if they're real alternatives for most people.
neilv
> Threat actors buy vulnerabilities that fit into existing business processes
Isn't there a market for this? For example, "Reveal who is behind this account that's criticizing our sketchy company/government, so we can neutralize them".
I'll also argue there's separate incentives, than the market value to threat actors... Although a violent stalker of an online personality might not be a lucrative market for a zero-day exploit for this "threat actor" market, the vulnerability is still a liability (and ethical) risk for the company that could negligently disclose the identity of target to violent stalker.
IMHO, if you're paying well a gazillion Leetcode performance artists, to churn out massive amounts of code with imperfect attention to security, then you should also pay well the people who help you catch and fix their gazillion mistakes, before bad things happens.
portaouflop
You are imagining a market that doesn’t exist.
First there are only very few gobs/companies that are sketchy enough to do this - and for those a huge number of non-anonymous people exist with huge reach that are very critical for years. If such a market would exist they would assassinate all those first - you don’t need the email if you have the face, voice, and name - since that is not happening they just don’t care that much about it.
lolinder
> then you should also pay well the people who help you catch and fix their gazillion mistakes before bad things happens.
You missed their point about the business model of the security researchers here: their business model is finding a large number of small value vulnerabilities. Those who are good at this are very very good at this.
My company has a bug bounty program and some of the researchers participating in it make double or more my salary off of our program, but we never pay out more than this for a single report. And it's not like we're particularly vulnerable, we just get a steady stream of very small issues and we pay accordingly.
tptacek
They're right: I was talking about the business models at the buyers that these vulnerabilities have to slot into. The point I'm making is: there already has to be an operating business that's doing this for a vulnerability to be salable at all. If there isn't one, you're not selling a vulnerability, you're helping plan a heist.
pwillia7
Yeah, _should_ but businesses make money and not reporting and using the vulnerability in any other way is illegal, so they get to set the price as they're the only buyer. They know this.
mmsc
>Unmasking Google accounts? Could there be a business there? Sure, maybe. Is there one already? Presumably no.
Absolutely, yes. Spam and targeted phishing attacks are in high demand.
My understanding is that it is possible to retrieve every public youtube channel ID, if not also Google Maps/Play reviewers, quite easily. This exploit could have been used to create a massive near-complete database of every Google account has automatically had a Youtube account created.
lolinder
> This exploit could have been used to create a massive near-complete database of every Google account has automatically had a Youtube account created.
Massive email databases are extremely cheap, often free. For this vulnerability to be worth more than $10k there would have to be something about it being a near-complete library of Google accounts (rather than just another massive mailing list).
And that's assuming the prospective buyer believed that they could exploit this vulnerability in full before discovery. If I'm reading this exploit right, each email recovered requires two requests, one of which needs to make one of the fields 2.5 million characters long in order to error out the notification email sent to the victim. Presumably that email sending error would show up in a log somewhere, so the prospective attacker would have to send billions of requests fast enough that Google can't block them as suspicious or patch the vulnerability, all the while knowing full well that they're filling up an error log somewhere and leaving an extremely suspicious pattern of megabyte-sized request bodies on a route that normally doesn't even reach kilobytes.
I'm honestly not seeing how you could make an email list out of this that is anywhere near complete, and even if you could I'm not sure where the value to it would be.
kasey_junk
And then what?
Exploits need to plug into a business plan. Like any business plan there has to be somewhere that money gets extracted and that money needs to be more than the exploit cost & infrastructure costs & a risk premium.
If you can’t trivially say how the exploit explicitly gets turned into cash you probably are on the wrong track. Doubly so if it’s not a known standard and commoditized way that’s happened before.
wswope
Say you’re a blackhat OSINTer trying to steal crypto. You have a first initial and a last name for a target (“J. Smith”) - plus you know this person is on github and discord.
You take out your handy email list and run a regex to find candidate accounts that match “J Smith”. You pipe matches into a recon script to check if github and discord accounts exist for each email. Suddenly, you’ve got a small pool of matches. You try more account-existence recon to find all the sites they’re signed up on. You look up all breached creds tied to the target emails, then run cred stuffing against any sensitive services they’ve signed up for.
Boom, you’ve gone from first initial + last name to compromising an account in thirty minutes.
chmod775
There is often phishing campaigns targeting larger channels on YT, trying to trick someone with access to it into opening malicious e-mail attachments, with the end-goal of taking over the channel. Usually the attackers then put a livestream on it and push some crypto scam. It must make enough money, given that it keeps happening.
Most recent example I've seen: https://www.youtube.com/watch?v=EnVxWK6DfMQ
grog454
> Exploits need to plug into a business plan
Or, you know, develop a new "business plan" around an exploit.
brookst
But then what? Given the number of accounts Google has, odds are that nearly every alphanumeric combo less than 8 or 10 characters plus “@gmail.com” is a google account. This vulnerability gets you other domains, but still not seeing it. Massive databases of email addresses are a dime a dozen.
The only angle I can imagine is phishing for high profile creators, and at most this is a “makes it easier” and not a “creates the problem” bug.
refulgentis
The back of an envelope can get you making silly claims quickly (ex. 26 ^ 8 is 208 billion)
jeffwask
Honestly, that leaves straight up harassment of YouTubers by other YouTubers and fans off the table which by itself would motivate a few of them. Some of the same people who play in the black and grey hat worlds are the same people buying DDOS attacks and swatting streamers. They would have a party with their emails.
lolinder
> which by itself would motivate a few of them
Motivation in the abstract is not enough to counter GP's point—they have to have enough motivation that it's worth more than $10,000 to them and also have more than $10,000 to spend and also have the connections necessary to get in touch with someone who's able to sell a vulnerability like this and also be able to exploit it in a timely manner or at least think they can.
tptacek
Draw up a straw-man business plan for this, with SWAG numbers.
asah
Also, Google can monitor the grey/black market and buy these exploits under false identities. For less urgent vulnerabilities (such as the YT email hack), this severely caps the bounty size.
dan-robertson
My guess was that people selling vulnerabilities generally know who they’re selling to. Is there a big market for people selling exploits to unknown/anonymous customers?
tptacek
People talk about "people selling vulnerabilities" as if there's an established pattern for selling arbitrary vulnerabilities. There is not. There's an established pattern for selling exploits for RCE vulnerabilities on a subset of popular client-side platforms. It's not an especially easy market to break into (as with consulting, people starting out here tend to end up subcontracting, and taking a huge income hit).
For any other kind of vulnerability, you're not so much "selling a product" as you are "helping plan a heist".
swiftcoder
It's a pretty big part of most black markets that vendors don't ask too many questions about the buyer.
Do you really want to know what the FSB plans to do with your exploit?
nullderef
Breaking the email system so that it's not sent is the cherry on top. With companies as big as Google who have developed so many products, "security" feels fake. If every line of code is a possible vulnerability, with millions it's just inevitable. It feels like the only way is to keep things simple (e.g., deprecate the recorder site), but even then.
rpigab
That's probably another reason why Google kills so many products that are successful, but not successful enough for Google's whole system to justify keeping them alive and secure.
echelon
100%. Every product not a part of the core mission is attack surface area, ongoing maintenance to ensure it works with the rest of Google services and infra, and drag on the rest of the team and velocity.
The part that sucks for consumers is that they often kill things that people like. I wish they had a better way of doing this.
Bravo to brutecat for this excellent discovery, productionization, and writeup.
zoklet-enjoyer
They could spin these products off into separate companies and cut the integration with the rest of the Google ecosystem.
robin_reala
Unfortunately with the number of users Google has, any deprecation will be met with cries of pain / I-rely-on-the-spacebar-to-heat-up-my-computer. See https://killedbygoogle.com/.
aeonik
They really aren't shy about massive breaking changes.
I'm still upset about Google Reader.
thoroughburro
I remember being upset about Google Reader for a few months after its death… before moving to one of its many, fuller-featured competitors and carrying on using RSS feeds exactly as before.
What upsets me re RSS these days is how many people were apparently so reliant on one reader that they still publicly mourn every time it comes up, 12 years later. Who are these fair-weather feed followers who threw their hands in the air with the loss of exactly one product?
ibaikov
I realized I was reading too many websites and decided to switch to RSS, only to find out that Google had killed Reader a month earlier.
Years later, I came across Artifact, created by the founders of Instagram, and thought it was an interesting idea. The problem was I was reading its shutdown announcement.
Sometimes I think products are killed way too early. Look at twitch, it boomed after years of stagnation.
jfengel
I didn't use Reader. What was so special about it? Iirc it was an RSS aggregator, which sounds pretty simple to replace. Nobody has an open source equivalent?
Y_Y
Many of us are still upset about Reader. It definitely felt like a watershed moment between the old cool Google who sent pizzas to hackers and had clean fast web design and weren't evil.
I'd be so glad now to give up on Google and all its enshittified shit. I could give up things that are still super useful and I get value from every day: YouTube, Gmail, Play Services, Drive, Maps. But I don't think I could give them all up at once. I've been trying to migrate to Proton and OpenStreetMap and some kind of real Linux phone etc, I don't even mind if I have to fiddle around before everything works. The trouble is that the claws are in, but they're not in me.
Remember when Google proudly didn't advertise themselves? They got to critical mass through word of mouth, from having a compellingly better product. Now what they have is network effects and locking. They used to appeal to developers and techies because and that ended up making the services better for everyone. Now like all the other tech giants they have PHB's optimizing for the next millisecond of attention and Microdollar of ad revenue from a lowest-common-denominator victim.
Google is so big that it's a significant part of life for a significant proportion of the world. When Google is shit it moves the needle on net human suffering. I think the UN should be focussing on prevent war and trying to salvage our environment, but if they aren't going to do that then it might be rational to just form a worldwide consumer group to take on megacorps.
meindnoch
+1 for Google Reader
That marks my coming of age on the enshittified web. The killing of Google Reader was a watershed moment. It marks the moment in time when the tide turned from the open Web to closed social media gardens.
DonHopkins
I'm still upset about the "I've Got A Bad Feeling About This" button.
highcountess
[dead]
ramon156
Side note, what is that reference from? Searching "i rely on the spacebar to heat up my computer" directs me back to this comment (6 mins ago).
croisillon
you're one of today's lucky 10,000
null
cfreksen
It is a reference to the following XKCD comic: https://xkcd.com/1172/
null
null
null
vladms
I would challenge you to give me examples where security feels "real" and how does that help.
Most software products rely on very complex software stacks, and if you trust 100% all the libraries and the OS you use I would say it's a wrong mindset. There were bugs even in the processor (meltdown). Security is a continuous battle and you never know if you won, only (sometimes) if you loose.
tialaramex
You can tell security is real the same way as lots of other things, reality doesn't give a fuck. Like how you can tell the difference between man's laws (e.g. "The Offside Rule" or "Constitutional Rights") and Mother Nature's laws (e.g. Thermodynamics). Try it, kick the ball even though the rule says you mustn't - if you get lucky the referee doesn't notice and play continues. But if you try to make a system more ordered without expending energy it does not work. Reality doesn't give a fuck.
When I breeze through your login process with the wrong credentials that's because your security was fake, if it was real that would break because it didn't know who I was, so if some bug lets me past login I don't somehow successfully log in as me, I'm logging in as nobody at all which is clearly nonsense.
This is "Make Invalid States Unrepresentable" at scale, and it's difficult to do, but not impossible.
hkwerf
You're essentially suggesting a Drake equation [1] equivalent for the number of security vulnerabilities based on NLoC. What other factors would be part of this equation?
CSMastermind
Language or framework definitely plays a role (isn't that what the Rust people are so excited about). Maybe say like the materials/tools used.
There's definitely some measure of complexity. I still like simple cyclomatic but I know there are better ones out there that try to capture the cognitive load of understanding the code.
The attack surface of the system is definitely important. The more ways that more people have to interface with the code, the more likely it is that there will be a mistake.
Security practices need to be captured in some way (maybe a factor that gets applied). If you have vulnerability scanning enabled that's going to catch some percentage of bugs. So will static analysis, code reviews, etc.
maximus-decimus
How close to the Balmer peak the programmer was when he wrote the code.
bobnamob
Correlated or inversely correlated?
zwnow
The point is: security is fake. No app is truly secure. You can spend millions on app security and all it takes to breach that is one slip up of a human user.
TheDong
I'd take away "security is complicated and multi-faceted", not "fake".
It's not a black and white of "an app is truly secure" or "an app is truly insecure", but rather a continuum from "secure enough in practice for this threat model and purpose" to "an insecure mess".
Like, plenty of websites and apps have launched, existed for years, and then shutdown without a single security incident. In those cases, surely the app was secure, right? At least secure enough? Signal so far has been "secure enough in practice" for most people, while iMessage has in practice been "secure enough if you're a normal person, but with serious security issues for anyone who might be subject to serious targeted attacks"
Say more about what you mean by "no app is truly secure"? Especially in the context of signal?
zwnow
Im just saying that all it takes is one employee to click onto the wrong URL to breach your apps security. I am not talking about the app itself. You can have all the security implemented the world has to offer and yet you cant get rid of human errors.
progforlyfe
Wow, until the very last paragraph for some reason I was thinking that it COST $10,000 to leak the email of any YouTube user, like either a black market cost or purchasing cloud resources =) -- Very nice exploit though!
fnordian_slip
Very nice breakdown. But while 10,000 dollars seems like a decent sum, I expected more for a bug of this severity, if I'm being honest. Especially as they initially only awarded 3100. But I'm not sure how much is usual for such cases. Almost 150 days also seems kind of a long time for fixing it imho.
Frieren
Bounties make sense for open source projects where the main reward is to contribute to the community.
For private corporations/closed code, it is a way to get a thousand engineers looking at their code and APIs and only pay a small amount to however is the first one to find something. Everybody else gets nothing even if they put a lot of time and effort.
Underpaid is an understatement.
blagie
$10k is not a decent sum. The compensation reflects roughly 0.25-3 weeks of SWE costs in payout.
Industry-wide SWE compensation is somewhere in the $100k-$200k range. Typical Google SWE compensation is $350k. Top Google SWE salary is north of $1M. Increase by 60-100% for overhead, or somewhat more for consulting overhead.
The amount of work doing something like this is orders of magnitude more than the compensation:
1) Most security vulnerabilities investigated lead nowhere, were previously discovered, etc. That's lost time.
2) Working out something like this is much more than 0.25-3 weeks.
More critically, the black market value of most vulnerabilities is much more than Google pays out. A rational economic actor would sell something like this grey market or black market, rather than reporting.
The problem is none of the big companies take security seriously. The reason is that there are no economic damages to even serious data leaks, so what incentive is there for them to take data security seriously?
Many companies (including big ones like T-Mobile) have major security compromises every few months (and in the case of T-Mobile, have had so for decades) and simply don't care. I don't mean to pick on T-Mobile -- I like them as a company -- but they're pretty representative.
tptacek
It's an extraordinarily high sum for this kind of finding. Bounties are generally not a referendum on how clever the underlying work is. A full-chain iOS bug is worth hundreds of thousands of dollars because Apple competes with the grey market for it (and even then, it's an apples-oranges comparison and Apple pays substantially less than the rest of the market for structural reasons). Nobody competes for this bug; nobody is going to pay these people $10,001 for a bug that Google can end instantaneously the moment they figure out what's happening.
iinnPP
Just because companies are paying X doesn't mean that X isn't a low sum.
Calling 10k an "extraordinarily high sum" is accurate to some and inaccurate to others.
I would bet the groups would differ by perceived personal cost more than the opinion of Google, Apple, and the like. These groups would also probably show distinction where people have been victimized by "identity theft."
The opinions of those bearing the cost are more important here, in my opinion.
blagie
My commentary was precisely about the state-of-the-practice.
That $10k is "an extraordinarily high sum for" what was likely weeks of work on this bug, and probably months of work poking in other places, reflects the very, very low focus on security industry-wide. This is why we need significant civil -- or possibly occasionally criminal -- liability. Civil if it's simple negligence, and criminal if it's gross negligence leading to harm.
If Google were to pay me $200 if it leaked my data, that would:
- Be worth much less than my privacy
- Amount to damages of $400B worldwide if there were a compromise impacting all $2B users (although, realistically, damages would be lower in middle and low income countries)
This would represent a 20% fall in Google's market cap, which feels about right.
At that point, I expect the bug bounties would be set many orders of magnitude higher. Security bugs should be rare. They're common. This is a problem, and one created by our market incentive structures.
You are correct that Apple is an exception, and seems to mind security.
ianhawes
You’re significantly underestimating the value of dox-style exploits. Author could have partnered with a black hat vendor who would offer (for example) $25 per lookup. Or they could’ve done bulk scraping of YouTube channels to get emails and sold the dataset.
It requires some legwork but they could’ve seen somewhere in the ballpark of 6 figures over 1 year if the exploit wasn’t patched.
Oh, and if they had no ethics.
kccqzy
Bug bounty payouts are not effort based. It does not matter how much time it took the discoverer to find the vulnerability. So discussing the amount of work involved is irrelevant. Comparing it against the fixed rate salary of a SWE is even more irrelevant, except that your argument shows it is more profitable for a hypothetical person relying on bug bounty income to instead join Google as an internal red teamer.
blagie
Unless you can stumble on Google vulnerabilities casually, it's showing quite the opposite -- how unprofitable it is to work from bug bounties.
ant6n
I wonder where I could get 10K for a week of work. That'd be a nice a vacation supplement. ㋡
yieldcrv
salary and compensation are not synonyms, you used them interchangeably
55555
This is a puny payout IMO. If they poked around a bit more they may have found a better GAIA->Email vulnerability or perhaps could just use the one they found. A database of emails for every major youtube channel would be worth an awful lot.
aimazon
Major YouTube channels are typically managed by multiple people through the channel management features and brand accounts. I don't think it's possible to even log in to the brand account (which has a generated email address like channel-000000000000000000000@pages.plusgoogle.com) instead it can only be accessed through an authorized user's account (which are distinct from the channel, i.e: it's not the email address that would be surfaced by this attack). Granted, things have changed over the years, so there may be old channels lingering with Google account linked email addresses, but from what I can tell, all channels were converted a while back.
https://support.google.com/youtube/answer/7001996?hl=en-GB
edit: My hunch is that the channels the OP's attack was able to target are not actual channels but rather YouTube users (who have a "channel" because that's how YouTube represents users): so "YouTube User" is the correct description of this attack, which is distinct from what you're thinking of as a channel.
imdsm
Think this is puny — I found the ability to reveal emails in npmjs.org but as it hadn't been included in the new GitHub/Microsoft bug bounty scope yet, I was given a t-shirt and $1000.
Talk about puny!
KomoD
I think this is puny: I was able to take over accounts on a cybersecurity platform just by knowing their account email and was only paid $200
TheDong
I think this is puny; I can take down almost any site on the internet just by knowing the DNS name, and in exchange all I get is threats of criminal prosecution under anti-DDoS laws
Xcelerate
Do you mind sharing which platform?
davidmurdoch
I was able to run JavaScript inside an email in the GMail app on Android (it required the user tap within the email body). I only got a Nexus 7 tablet.
croisillon
in an old company of mine they started an intranet but if you opened it as http instead of https you'd see raw codes inclusive sql passwords and everything ; i reported to them, to which they replied "yeah just open it with https like everyone else"
croisillon
the burden of being consciencious, i guess
tptacek
Serverside vulnerabilities have essentially no market outside of bug bounties. This is a hell of a payout for a web finding.
ajross
What would an appropriate payout be? I mean, the classification ("high exploit probability, abuse-related impact") seems about right to me. Are you saying that abuse bugs should be more valuable? That all bugs should pay more? That this is a rich company so they should pay more?
> If they poked around a bit more they may have found a better GAIA->Email vulnerability
They still can! Report more bugs, get more bounties. I don't see how this is related to how much they paid for this one.
> A database of emails for every major youtube channel would be worth an awful lot.
It's pretty clear from the article that you can't use this API to scrape at that kind of volume. This kind of thing was never in the offering. As the title says, you can leak "any" email, not "every" email.
xyst
A database of every YT user then x-referencing them with public services (fb/ig/twitter). Build shadow profiles, sell db to highest bidder.
Or just plain ole pwning them. Most users still tend to use the same password across different services, not use 2FA, and involved in at least 1 high profile leak (I know I’m in at least a dozen so far per haveibeenpwned).
Occasionally you get the victim that uses that same password for their e-mail service and that can allow you to bypass e-mail 2FA if enabled. Even better if the account is used for social SSO (ie, Google, Facebook, Twitter). Then you have access to a treasure trove of services; or just delete them for lulz
philipwhiuk
> Some time ago, I was looking for a research target in Google and was digging through the Internal People API (Staging) discovery document
Should... should this just be public: https://staging-people-pa.sandbox.googleapis.com/$discovery/...
kccqzy
It's just an automatically translated schema file from their internal .proto definition. Google relies on real cryptography not security through obscurity.
Furthermore the discovery endpoint is publicly documented[0] and specifically meant for external users. Nobody internal would read the discovery endpoint: they would just pull up the .proto file through code search.
Another observation: from my experience at Google it took multiple weeks of effort fighting against the bureaucracy to be able to expose an API to the public. It's not like an AWS S3 bucket that could just be accidentally public. The team knew this is public and had fought the bureaucracy to make it public.
[0]: https://developers.google.com/discovery/v1/getting_started
robin_reala
I’d misunderstood the title to refer to $10k of GPU compute or something like that. Unfortunately I suspect there’ll be tens or hundreds of occurrences of this bug given that they just picked one old Google product and immediately found a hole.
SXX
> given that they just picked one old Google product and immediately found a hole.
This is just not how it works. Most likely author spent weeks or months digging into different products until he found something worthville.
saretup
I misunderstood it to mean they are selling any YouTuber’s email address for $10k
AznHisoka
“Applied 1 downgrade from the base amount due to complexity of attack chain required” <— is this common?
I’ve only participated in a few vulnerability programs, and most of them reward less if the security flaw is stupidly simple (but serious) such as revealing user emails in the page source.
tptacek
I had the opposite impression, that it got dinged for being relatively complex for a web finding.
sebstefan
“Applied 1 downgrade from the base amount due to complexity of attack chain required”
The attack chain isn't that complex...
It's very lame to be stingy with a bug bounty program.
donatj
After reading the article top to bottom I still had to come to the comments to find out what the "for $10,000" was about. It's the payout for a bug bounty.
michpoch
Am I very naive expecting the payout to be significantly higher?
tgsovlerkhgsel
Yes. Bug bounties aren't that high. For an issue that does so little (leaking an identity vs. e.g. giving access to an account or remote code execution), I'd actually consider that a surprisingly high amount, and I would expect that many companies wouldn't consider this class of bug a bounty-worthy issue at all - "thanks for the report", maybe fix it maybe not, but no bounty.
ec109685
Interesting that the bounty amount went down due to how obscure the attack vector was.
cesarb
To me, that payout felt quite high; it's bigger than the average monthly salary for a senior IT professional where I live. To put it another way, that bounty alone would be like being paid for several months of full-time employment.
SXX
Unfortunately high payouts is just not how cyber security industry work. Instead of high payouts you get vanity and higher chance to get well-paid job.
immibis
You can get a high payout if you're also willing to risk your life. Companies are relying on researchers doing the ethical thing instead of the profitable thing.
hoerzu
I haven't gotten access to my YouTube channel since it migrated to Google account. If anyone can set me in contact with anyone who can help recover my account, it will be rewarded with karma for life
ornornor
Haha a human at google. Good luck. My maps review are almost always blocked because reasons for years, Im still trying to reach a human there.
Since every 3rd message on this thread (at the time I wrote this) is about how Google underpaid for this bug, some quick basic things about vulnerability valuations:
* Valuations for server-side vulnerabilities are low, because vendors don't compete for them. There is effectively no grey market for a server-side vulnerability. It is difficult for a third party to put a price on a bug that Google can kill instantaneously, that has effectively no half-life once discovered, and whose exploitation will generate reliable telemetry from the target.
* Similarly, bugs like full-chain Android/Chrome go for hundreds of thousands of dollars because Google competes with a well-established grey market; a firm can take that bug and sell it to potentially 6 different agencies at a single European country.
* Even then, bounty vs. grey market is an apples-oranges comparison. Google will pay substantially less than the grey market, because Google doesn't need a reliable exploit (just proof that one can be written) and doesn't need to pay maintenance. The rest of the market will pay a total amount that is heavily tranched and subject to risk; Google can offer a lump-sum payment which is attractive even if discounted.
* Threat actors buy vulnerabilities that fit into existing business processes. They do not, as a general rule, speculate on all the cool things they might do with some new kind of vulnerability and all the ways they might make money with it. Collecting payment information? Racking up thousands of machines for a botnet? Existing business processes. Unmasking Google accounts? Could there be a business there? Sure, maybe. Is there one already? Presumably no.
A bounty payout is not generally a referendum on how clever or exciting a bug is. Here, it kind of is, though, because $10,000 feels extraordinarily high for a server-side web bug.
For people who make their nut finding these kinds of bugs, the business strategy is to get good at finding lots of them. It's not like iOS exploit development, where you might sink months into a single reliable exploit.
This is closer to the kind of vulnerability research I've done recently in my career than a lot of other vuln work, so I'm reasonably confident. But there are people on HN who actually full-time do this kind of bounty work, and I'd be thrilled to be corrected by any of them.