Leaking the email of any YouTube user for $10k
486 comments
·February 12, 2025rkagerer
sedatk
I thought they meant providing the services to leak the email of any user for $10K, perhaps per user. :)
adrianmonk
I thought they meant it cost $10K of compute time to brute force some process that would reveal one email address.
raffraffraff
Yeah, probably getting an LLM to do it
cassepipe
I think this was the clickbaity intention behind the title
cubeflake
I agree, this feels intentionally misleading.
sim7c00
well, i guess it got me to read these comments and think, ok no thanks :D
raffraffraff
That's what I thought too because that's exactly how it's phrased! Terrible wording.
stevage
Me too.
I thought it meant they were offering this as a service for $10k.
willtemperley
I think this was the joke.
mahmoud111
Me too.
I thought it meant they were offering this as a service for $10k.
nickvec
Could be a clickbait sort of title.
cubeflake
Thank you, I think the title is misleading and your comment clears up the confusion.
DecentShoes
Yeah, I thought it was going to be about compute cost for brute forcing some hash or something
tomsmeding
The domain name kind of suggests this interpretation, too.
null
mikeyinternews
The title should have been something like, "Revealing the email address"...
SZJX
From the D/M/Y date format at the end of the article, they may not be native English speakers (at least they aren’t American).
defrost
The USofA is the bizarre exception here:
The United States has a rather unique way of writing the date that is imitated in very few other countries (although Canada and Belize do also use the form). In America, the date is formally written in month/day/year form.
kinematicgps99
Also, the US military used/uses DDMMMYYYY format, i.e., 15JAN2025, where MMM is the month abbreviation, which is similar to one of the formats used in Romania. This has the benefits of unambiguous parsing and no need for component separators but lacks lexicographical sort-ability like ISO 8601. A format like YYYYMMMDD might some of the advantages of ISO 8601 by keeping items of the same year and month together at a minimum. (ISO 8601 is the most proper date format though. ;)
OhMeadhbh
Don't oversell the place. It also has it's down-sides.
genewitch
We write the date that way because that's how we say the dates and conversation: today is February 13th, 2025.
02/13/2025. I personally use ISO dates because i like getting sorting for free.
turbonaut
England is just one example of a country of native English speakers who use dd/mm/yyyy.
chrisweekly
yyyy-mm-dd is the iso standard, w/ the benefits of logical consistency (larger to smaller units left to right) and -- best of all -- sortability.
selcuka
Australia, too.
nixass
And?
vetrom
I see a lot of noise made about responsible disclosure, its drivers, and its rewards. What I don't see is talk about how this is one more datapoint against centralized permanent identities.
Every time I see a service purporting that it works best only with a single link to your Real Identity™, I'm reminded that the vendors only abstractly care about actually protecting the user, and then only sometimes.
Imagine being able get immediately three or four steps closer to doxing anyone interacting on YouTube. That's the actual impact of this bug IMO. It's good that this was fixed, but I don't think this class of bug goes away anytime soon. What do we need to do to get vendors and big companies to realize that this sort of design is landmines waiting to happen?
vineyardmike
> Every time I see a service purporting that it works best only with a single link to your Real Identity™, I'm reminded that the vendors only abstractly care about actually protecting the user, and then only sometimes.
I abstractly agree with you. There is a level of obscurity and disposability that should be tolerated in these accounts. They’re just a row in a database somewhere anyways.
That said, many people transact with these businesses with real human money. For example, YouTube premium subscribers or content creators. From a practical perspective, that requires IRL identifiers to be stored somewhere with that otherwise disposable account. And due to fraud risks and other realities of banking, that requires giving these businesses actual identities and addresses which they store too.
While I don’t give random apps and websites my human-identifying information, anyone I do business with necessarily knows the real me, which is a theoretical point of data leaking.
patrick451
This is a fixable problem if we can get congress to roll back the insane KYC laws.
Garlef
It's also fixable in ways that don't require rolling back KYC laws.
autoexec
> While I don’t give random apps and websites my human-identifying information, anyone I do business with necessarily knows the real me, which is a theoretical point of data leaking.
Certainly not theoretical. You can be certain that nearly every company who knows your identity has leaked/sold it to others in one fashion or another.
chii
They don't care because there's no legal consequence for them.
Try and leak some medical data as a medical services provider. You will get your ass handed to you.
nativeit
> Here's a POC of the exploit in action: This video has been removed for violating YouTube's Terms of Service
That's hilarious.
aydgn
OP actually shared an actual existing user’s email address to prove the concept. In the reuploaded video, the email address is blurred.
tptacek
Since every 3rd message on this thread (at the time I wrote this) is about how Google underpaid for this bug, some quick basic things about vulnerability valuations:
* Valuations for server-side vulnerabilities are low, because vendors don't compete for them. There is effectively no grey market for a server-side vulnerability. It is difficult for a third party to put a price on a bug that Google can kill instantaneously, that has effectively no half-life once discovered, and whose exploitation will generate reliable telemetry from the target.
* Similarly, bugs like full-chain Android/Chrome go for hundreds of thousands of dollars because Google competes with a well-established grey market; a firm can take that bug and sell it to potentially 6 different agencies at a single European country.
* Even then, bounty vs. grey market is an apples-oranges comparison. Google will pay substantially less than the grey market, because Google doesn't need a reliable exploit (just proof that one can be written) and doesn't need to pay maintenance. The rest of the market will pay a total amount that is heavily tranched and subject to risk; Google can offer a lump-sum payment which is attractive even if discounted.
* Threat actors buy vulnerabilities that fit into existing business processes. They do not, as a general rule, speculate on all the cool things they might do with some new kind of vulnerability and all the ways they might make money with it. Collecting payment information? Racking up thousands of machines for a botnet? Existing business processes. Unmasking Google accounts? Could there be a business there? Sure, maybe. Is there one already? Presumably no.
A bounty payout is not generally a referendum on how clever or exciting a bug is. Here, it kind of is, though, because $10,000 feels extraordinarily high for a server-side web bug.
For people who make their nut finding these kinds of bugs, the business strategy is to get good at finding lots of them. It's not like iOS exploit development, where you might sink months into a single reliable exploit.
This is closer to the kind of vulnerability research I've done recently in my career than a lot of other vuln work, so I'm reasonably confident. But there are people on HN who actually full-time do this kind of bounty work, and I'd be thrilled to be corrected by any of them.
edanm
I don't remember if I've ever thanked you for the dose or reality you bring to these discussions, but if not - thank you! Before I started reading your comments on bug bounty payouts I'd probably have made the typical thoughtless (in my case) remark that the bounties are tiny, without actually thinking through the realistic dollar value of bugs found.
Not to mention not really thinking through how obviously stupid it is to immediately compare a legal activity to a highly illegal one, as if they're real alternatives for most people.
tptacek
pvg
I think your comment energy is more https://youtu.be/Pzpx9f5ByyA?t=110
hedora
Most other fields of endeavor aren’t compensated based on the black market value of the thing that’s being produced.
If we apply your analysis to other things, we’ll find that the upper bound price for a new car stereo or bike is ~ $100, and the price of any copyrighted good is bounded by the cost of transferring it over the network.
I think it is more useful to divide the amount Google paid by the number of hours spent on this and any unsuccessful exploit attempts since the last bounty was paid.
I’d guess that the vast majority of people in this space are making less than US minimum wage for their efforts, with a six figure per year opportunity cost.
That tells you exactly how much Google values the security and preserving the privacy of its end users. The number is significantly lower than what they pay other engineers orders of magnitude more to steal personal information from the same group of people.
demosthanos
> Most other fields of endeavor aren’t compensated based on the black market value of the thing that’s being produced.
> If we apply your analysis to other things
This analysis doesn't work for a few reasons:
* For physical goods, used items always fetch a lower price than new items due to unrelated effects. And if we're only looking at the used price, we do find that the black market price is just about equal to the used item's value minus the risk associated with dealing with stolen goods (unless the buyer is unaware of the theft, in which case the black market value is the same as the used value).
* For both physical and digital goods, there are millions of potential customers for whom breaking the law isn't an option, creating a large market for the legal good that can serve to counter the effect of the black market price. This isn't true of exploits, where the legal market is tiny relative to the black market. We should expect to see the legal market prices track the black market prices more closely when the legal market is basically "the company who built the service and maybe a few other agencies".
mootothemax
> For physical goods, used items always fetch a lower price than new items
This is only true under certain circumstances. If there are supply chain issues, used prices can go up and over the list price. The most extreme (and obvious) example I've seen is home gym equipment during the Covid lockdowns, particularly for stuff like rowing machines.
The other potentially less obvious example is seen in countries that don't have a local presence or distributor for a given item, and the pain and slowness of importing leads to local used prices being above list price.
One other potentially interesting semi-related point: prices for used items can sometimes increase in unexpected ways (excluding obvious stuff like collectables, art, antiques etc). In the UK, the used price for a Nissan Leaf EV started increasing with age after the market realised that fears about their battery failing ~5 years into ownership were unfounded urban myths, and repriced accordingly.
UncleMeat
Bug bounty programs are not the only (or even primary) way that security researchers get paid. Google pays employees salaries to find vulns. Bounty programs are a pretty recent development and the idea that they should be scalable and stable well paying employment for a lot of people is a bit strange to me.
If security researchers want to have stable employment doing this sort of work, there's oodles of job applications they can send out.
mlyle
> Bounty programs are a pretty recent development and the idea that they should be scalable and stable well paying employment for a lot of people is a bit strange to me.
So, the value to the researcher of having a found bug has a floor of the black market value.
The value to Google is whatever the costs of exploitation are: reputational, cleanup, etc.
A sane value is somewhere between these two, depending on bargaining power, of course. Now, Google has all the bargaining power. On the other hand, at some point there's the point where you feel like you're being cheated and you'd rather just deal with the bad guys instead.
tptacek
I think the right comparison to make here is art. The compensation floor is zero, and, in fact, that's what most vuln research pays.
jonas21
Most other fields produce things that can be sold in the legal market - and so the value of those things can be determined by the market.
notpushkin
> and the price of any copyrighted good is bounded by the cost of transferring it over the network
It sure has worked out pretty much like this for music. The cost is not exactly zero, but pretty close to that.
hammock
>Most other fields of endeavor aren’t compensated based on the black market value of the thing that’s being produced.
What you’re saying can be seen as tautological. The reason a gray/black market exists is precisely because the field is undercompensating (aka in disequilibrium)
nitwit005
> Most other fields of endeavor aren’t compensated based on the black market value of the thing that’s being produced.
They're buying exclusive access to some information, which is a somewhat unusual thing to pay for.
News reporters do take spicy stories to tabloids, rather than the normal press, as the tabloids will pay more.
null
kccqzy
I hate how this HN thread is mostly about discussing the amount of bounty, but I'm afraid it's only natural. Most commenters here are working in the software industry and they want to normalize extremely high bounties. It's an extra income source for them. They want higher bug bounties much like they want SWEs to be a highly compensated profession. It's only natural for workers to demand higher pay for their own profession. No amount of rationalization will change that instinct.
iinnPP
It isn't always about money, even when that is the stated problem.
The dollar value of a responsible report going up means more responsibility overall and less problem leaks, exploits, etc.
I would be equally happy to see any solution where the end result is increased security and privacy for everyone, even at zero bounty.
The problem being overlooked is that the actual cost of these exploits and bugs is paid by the people who had no say whatsoever in any matter regarding the issue. Any time a company is being "cheap" at the expense of regular people is a bad time, from my perspective.
Google has the power to limit the exposure of the people who use there products (and this isn't always voluntary exposure mind you) and is choosing to profit a teeny tiny bit more instead. At no immediately obvious cost to them, why not?
nightpool
> The dollar value of a responsible report going up means more responsibility overall and less problem leaks, exploits, etc.
Does it? I just had a bug bounty program denied for budget approval at my work because of the cost of the bounties and the sufficiency of our existing security program. On the margins, it's not clear to me that the dollar value of a report going up is incentivizing better reports vs pricing smaller companies out of the market.
mlyle
I'm not a SWE anymore and haven't been one for a long time.
I think it's in everyone's interest for bug bounties to be higher than harmful markets for the same bug, and a decent fraction of the harms they prevent. That's what is going to result in the economically efficient amount of bug hunting. And it's going to result in a safer world with less cybercrime.
tptacek
No, it's not. CNE is shockingly effective, both for organized crime and for the international IC. The productivity wins are so great there is enormous space for the market prices of tradable vulnerabilities to increase; maybe even multiple orders of magnitude. We're not going to disrupt that process with bug bounties.
I really think people just like to think about stories where someone like them finds a bug and gets a lottery jackpot as a result. I like that story too! It's fun.
Smart companies running bug bounties --- Google is probably the smartest --- are using them like engineering tools; both to direct attention on specific parts of their codebase, and, just as importantly, as an internal tool to prioritize work. This is part of why we keep having stories where we're shocked about people finding oddball security- and security-adjacent bugs that get zero payouts.
aqueueaqueue
SWE comp is weird in that typically it is zero (see what's on Github!) often it us middle class and sometimes it is small scale CEO (as in the actual job not a founder) level.
I guess bounties fit into the framework somewhere between the Github and middle class engineer.
I think it comes down to supply and demand. It also shows you what Google would pay employees if things were in their favour. On unrelated news, a tech billionaire is almost defacto VP of the US.
rectang
When bug bounties are priced low, it also irks those among us who care about security — for the sake of the organizations we work for, for the sake of our end users, and for the sake of the world at large.
reaperducer
[flagged]
seangrogg
You say greed but I would wager that most people in the thread are not financially independent. If someone can't retire from needing money in perpetuity, is it really greed to want to move that needle from "no" closer to "yes"?
neilv
> Threat actors buy vulnerabilities that fit into existing business processes
Isn't there a market for this? For example, "Reveal who is behind this account that's criticizing our sketchy company/government, so we can neutralize them".
I'll also argue there's separate incentives, than the market value to threat actors... Although a violent stalker of an online personality might not be a lucrative market for a zero-day exploit for this "threat actor" market, the vulnerability is still a liability (and ethical) risk for the company that could negligently disclose the identity of target to violent stalker.
IMHO, if you're paying well a gazillion Leetcode performance artists, to churn out massive amounts of code with imperfect attention to security, then you should also pay well the people who help you catch and fix their gazillion mistakes, before bad things happens.
portaouflop
You are imagining a market that doesn’t exist.
First there are only very few gobs/companies that are sketchy enough to do this - and for those a huge number of non-anonymous people exist with huge reach that are very critical for years. If such a market would exist they would assassinate all those first - you don’t need the email if you have the face, voice, and name - since that is not happening they just don’t care that much about it.
wepple
There’s 100% an active market for this, and I think tptacek is simply wrong on this point (the others are valid)
The likes of Cambridge Analytica didn’t go away, they exist and absolutely go hunting for data like this.
The ability to map between different identifiers and pieces of content on the internet is central to so many things - why do you think adtech tries to join so many datapoints? Let alone things like influence campaigns for political purposes.
I’m not talking about assasination plots, but more mundane data mining. This is why so much effort in the EU has gone into preventing companies from joining data sources across products - that’s embedded in DMA
zemnmez
i think what's being conflated here is that there are reasonably buyers for this kind of vulnerability but there's no market in the truest sense. I think a correctly connected individual could well sell this vuln to a state actor or a contractor to one; but the ecosystem of bug sales to these parties has no aggregate appetite for them, thus, there is nothing driving the price up. People in the market for cyberweapons want point and shoot vulns that have broad usage beyond a specific server for a specific company or parts for them, and ones that will last beyond a single corporation patching something. They are willing to pay such big $$$ for this that the whole market is optimized for it. The power players here would much rather buy a gun and shoot the lock off a door than a specialised set of picks that work for that lock in that building.
tart-lemonade
The only real market (that I can see) are shady data aggregators. Governments just file subpoenas, and abusive megacorps can file lawsuits (all the anti-SLAPP statues in the world can't prevent your Google account from being unmasked and having to pay for a lawyer). There is a limited market in the form of internet addicts who want to harass people for kicks (since finding an email gives them another route to do that with), but it's a small one. These people also tend to be entitled pricks, so they're not a very good customer base to have.
lolinder
> then you should also pay well the people who help you catch and fix their gazillion mistakes before bad things happens.
You missed their point about the business model of the security researchers here: their business model is finding a large number of small value vulnerabilities. Those who are good at this are very very good at this.
My company has a bug bounty program and some of the researchers participating in it make double or more my salary off of our program, but we never pay out more than this for a single report. And it's not like we're particularly vulnerable, we just get a steady stream of very small issues and we pay accordingly.
tptacek
They're right: I was talking about the business models at the buyers that these vulnerabilities have to slot into. The point I'm making is: there already has to be an operating business that's doing this for a vulnerability to be salable at all. If there isn't one, you're not selling a vulnerability, you're helping plan a heist.
pwillia7
Yeah, _should_ but businesses make money and not reporting and using the vulnerability in any other way is illegal, so they get to set the price as they're the only buyer. They know this.
dadrian
I'd also add that the legality of law enforcement exploiting a server-side bug is much more of a gray area (or actually illegal), whereas there is a standard process for law enforcement or the intelligence community to get a court order that enables them to exploit devices that belong to a specific target (phone, laptop, etc).
tptacek
There's also the thing where like, as you go from iOS Safari to Windows Chrome to Acrobat Reader or whatever, grey market prices plummet. The top-dollar targets all have multilayered runtime protections and whole teams that do nothing but security refactoring. No serverside software is hardened that way (excepting the Linux kernel, maybe, but Linux kernel bugs are a standard component of clientside exploit chains). You could infer a pretty low price.
I will say: at Matasano, we were once asked by an established security company that turned out to be a broker to find PHPBB vulnerabilities.
Cpoll
> because $10,000 feels extraordinarily high for a server-side web bug.
Am I misunderstanding the bug? In my reading, this bug translates to "a list of the top 1,000 Youtube accounts' email addresses (or as many as you can get until Google detects it and shuts it down)." Why isn't that conceivably worth more than $10,000?
sbarre
Perhaps because email addresses are kinda/sorta PII (business emails are categorically not) but not quite comparable to home addresses, tax/payment information, etc..
Our emails get leaked all the time in data breaches, sometimes alongside much more important information such as home addresses etc..
This was certainly a bad leak that could be used to further dox people by connecting the email to other leaked info or other sources, but from Google's perspective, all they did was leak the email.
It was a privacy breach for sure.
But further doxxing based on the email would be "not their problem" I suspect they would say.
reaperducer
Why isn't that conceivably worth more than $10,000?
As explained by the parent comment, because there isn't a market for it. It's a novelty. Who are you going to sell that exploit to? At this time, nobody. Since Google doesn't have to compete against others for the bug, it pays low.
Cpoll
To clarify, I'm not suggesting selling the exploit. I'm suggesting selling MrBeast, PewDiePie, Blackpink, Sony Music, etc.'s Youtube email addresses. To phishing rings.
Those may be non-public email addresses (admin/billing emails), so the phishing potential is higher than emailing prteam@mrbeast.com (or whatever).
ldoughty
Oh darn, my youtube email was leaked... It certainly stinks that mybusinessname@gmail.com is now known to the world...
There's certainly bad things that CAN be done to a number of people with information when it's a personal email address that's used for numerous purposes... but the 3 people I talked to about having youtube (or any streaming) accounts all have mentioned it as being a separate account.
So the only threat I can see in most cases is just better phishing attempts, which is not necessarily an easy money maker... Unless they can steal the entire account? It is impossible to get support from Google, so it's quite possible you could change the bank info and get a month or two of payments before someone gets in the loop to stop it... and realistically, the more money someone is making on YouTube, the less likely they have troubles contacting someone at Google by some side channel... and the less likely it's a personal email address that reaches the actual star of the channel.. so the more popular the person, the less valuable the email address
Invictus0
Increasing the ease of phishing the top 1000 YouTube accounts seems like a pretty serious threat to me.
sushid
I think a simple way to think of it is: how much would an adversarial nation state buy this exploit for?
I just don't think Russia would be willing to pay $100,000 to get Mr. Beast's email address, even if that sounds tempting to you.
Cpoll
Why a nation state? My hypothetical is a phishing ring that sends an official-looking phishing email to 1000 non-public email accounts that typically only get emails from Youtube.
The exploit can be valued at: number of emails * probability that you'll phish them into letting you in * value of posting a "Free Robux" scam on a channel with 100M subscribers.
kube-system
Sure, they'd probably be more interested in political dissidents.
fy20
The majority of the top 1000 YouTube accounts will actually have an email address publicly available, as they are a business and they want people to be able to reach out to them for sponsorships or brand collaborations.
For example, MrBeast has this in the video description:
> For any questions or inquiries regarding this video, please reach out to chucky@mrbeastbusiness.com
The vulnerability here is that you can find the exact email address tied to their YouTube account, which you can't really do anything with if they have strong passwords and use 2FA.
EGreg
If you think Google had underpaid for this, imagine how much they got to underpay for this:
https://www.theverge.com/2016/1/29/10868404/google-reveals-h...
That guy is ridiculous! Could have made $50 million or more probably, if he had used a different registrar than Google itself.
He mentioned that Microsoft also let their domain lapse and that one was actually going to the open market... and what's more, they didn't even care when he contacted them! Oof:
https://www.theregister.com/2003/11/06/microsoft_forgets_to_...
Here are a few other doozies:
Apple forgot to renew their certificate for the entire Mac App Store, and didn't care much:
2014: https://www.macrumors.com/2014/05/25/apple-software-update-i...
if that wasn't bad enough... they did it again in 2015:
https://osxdaily.com/2015/11/12/fix-app-is-damaged-cant-be-o...
and almost in 2016:
zeroq
On top of that I always felt that this is generally aimed towards hobbyist who may accidently stumble on something to give them additional incentive to finish the job and make an actually summary and repro, rather than hollywood hackers.
Sure the gray market will pay more, but how do you contact criminals and make sure that you actually receive payment?
I know nothing about the market, but I think it's similar to buying drugs - we all know that drugs are everywhere and criminals are making a ton of money out of it, but if you haven't been introduced before how do you actually buy them? Go to a club and start asking random people?
(that last part might be different in US, but in EU we don't have people standing on every corner selling cookies)
AznHisoka
“Applied 1 downgrade from the base amount due to complexity of attack chain required” <— is this common?
I’ve only participated in a few vulnerability programs, and most of them reward less if the security flaw is stupidly simple (but serious) such as revealing user emails in the page source.
tptacek
I had the opposite impression, that it got dinged for being relatively complex for a web finding.
kevincox
Yeah, this seems backwards. It should be upgraded from the base amount because they effectively found 2 bugs!
philipwhiuk
> Some time ago, I was looking for a research target in Google and was digging through the Internal People API (Staging) discovery document
Should... should this just be public: https://staging-people-pa.sandbox.googleapis.com/$discovery/...
kccqzy
It's just an automatically translated schema file from their internal .proto definition. Google relies on real cryptography not security through obscurity.
Furthermore the discovery endpoint is publicly documented[0] and specifically meant for external users. Nobody internal would read the discovery endpoint: they would just pull up the .proto file through code search.
Another observation: from my experience at Google it took multiple weeks of effort fighting against the bureaucracy to be able to expose an API to the public. It's not like an AWS S3 bucket that could just be accidentally public. The team knew this is public and had fought the bureaucracy to make it public.
[0]: https://developers.google.com/discovery/v1/getting_started
hnburnsy
From the article...
15/09/24 - Report sent to vendor
...
29/01/25 - Vendor requests extension for disclosure to 12/02/2025
09/02/25 - Confirm to vendor that both parts of the exploit have been fixed (T+147 days since disclosure)
12/02/25 - Report disclosed
Compare this to Google Project Zero which gives other companies the following time to fix before disclosure...
>"This bug is subject to a 90 day disclosure deadline. If a fix for this issue is made available to users before the end of the 90-day deadline, this bug report will become public 30 days after the fix was made available. Otherwise, this bug report will become public at the deadline."
>If the patch is expected to arrive within 14 days of the deadline expiring, then Project Zero may offer an extension...Note however, that the 14-day grace period overlaps with the 30-day patch uptake window, such that any vulnerability fixed within the grace period will still be publicly disclosed on day 120 at the latest (30 days after the original 90-day deadline).
>If we don't think a fix will be ready within 14 days, then we will use the original 90-day deadline as the time of disclosure. That means we grant a 14-day grace extension only when there's a commitment by the developer to ship a fix within the 14-day grace period.
https://googleprojectzero.blogspot.com/p/vulnerability-discl...
whymarrh
I don't think this is a useful comparison. This is Google's bug with Google's software vs. Project Zero's discoveries are (as I understand them) typically in software used by multiple people and thus there's a higher urgency to fix them.
hnburnsy
Its not apples to apples but i think it shows Google's hypocrisy.
ForHackernews
> That params is nothing more than just base64 encoded protobuf, which is a common encoding format used throughout Google.
Pour one out for the google dev in charge of b64 encoding their fancy binary message format so it can be jammed inside a JSON blob. If you want a vision of the future, imagine a boot with "worse is better" imprinted on the sole stomping on an engineer's face, forever.
caust1c
It's everywhere and it's the worst. I sometimes ponder whether or not the volume of protobuf bytes represented as b64 encoded protobuf in JSON exceeds that of actual protobuf bytes sent over the wires of the internet, and then I pour one out for myself.
ForHackernews
JSON's not even that bad if it's gzipped! It compresses relatively well.
If only there were some way to easily send this binary gzip data to this API that accepts JSON...
aleksiy123
Internally, it would be a b64 protobuf in a protobuf field.
The json part is an automatic conversion.
jeffbee
Why would it be b64 encoded? There's nothing that prevents you from putting an encoded protobuf into a protobuf as `bytes` type. `bytes nestedMessage = 42;` Only delimited message formats like JSON or XML need to encapsulate messages before nesting.
aleksiy123
Because it is in a Json? Internally it probably is protobuf with bytes.
But the external API is Json and so it needs to be converted at some point.
https://stackoverflow.com/questions/49358526/protobuf-messag...
paulddraper
Huh?
Internally, it is (maybe) a binary field of a protobuf.
Then when translating to JSON, it was converted to a string via base64 encoding.
paulddraper
JSON string of base64 encoded protocol buffer...you don't need to know what company did that to know what company did that.
null
nullderef
Breaking the email system so that it's not sent is the cherry on top. With companies as big as Google who have developed so many products, "security" feels fake. If every line of code is a possible vulnerability, with millions it's just inevitable. It feels like the only way is to keep things simple (e.g., deprecate the recorder site), but even then.
rpigab
That's probably another reason why Google kills so many products that are successful, but not successful enough for Google's whole system to justify keeping them alive and secure.
echelon
100%. Every product not a part of the core mission is attack surface area, ongoing maintenance to ensure it works with the rest of Google services and infra, and drag on the rest of the team and velocity.
The part that sucks for consumers is that they often kill things that people like. I wish they had a better way of doing this.
Bravo to brutecat for this excellent discovery, productionization, and writeup.
zoklet-enjoyer
They could spin these products off into separate companies and cut the integration with the rest of the Google ecosystem.
goldfish3
There's a lot of truth to that. Older projects often get bogged down by new security & compliance horizontals, to the point where maintenance is just no longer worth it.
ragazzina
Maybe Apple should do the same and kill their many half-baked software products.
gallerdude
Which ones? In my experience, a lot of Apples products have incredible longevity. Notes, Calendar, Pages all just get better and better.
robin_reala
Unfortunately with the number of users Google has, any deprecation will be met with cries of pain / I-rely-on-the-spacebar-to-heat-up-my-computer. See https://killedbygoogle.com/.
aeonik
They really aren't shy about massive breaking changes.
I'm still upset about Google Reader.
thoroughburro
I remember being upset about Google Reader for a few months after its death… before moving to one of its many, fuller-featured competitors and carrying on using RSS feeds exactly as before.
What upsets me re RSS these days is how many people were apparently so reliant on one reader that they still publicly mourn every time it comes up, 12 years later. Who are these fair-weather feed followers who threw their hands in the air with the loss of exactly one product?
ibaikov
I realized I was reading too many websites and decided to switch to RSS, only to find out that Google had killed Reader a month earlier.
Years later, I came across Artifact, created by the founders of Instagram, and thought it was an interesting idea. The problem was I was reading its shutdown announcement.
Sometimes I think products are killed way too early. Look at twitch, it boomed after years of stagnation.
DonHopkins
I'm still upset about the "I've Got A Bad Feeling About This" button.
jfengel
I didn't use Reader. What was so special about it? Iirc it was an RSS aggregator, which sounds pretty simple to replace. Nobody has an open source equivalent?
Y_Y
Many of us are still upset about Reader. It definitely felt like a watershed moment between the old cool Google who sent pizzas to hackers and had clean fast web design and weren't evil.
I'd be so glad now to give up on Google and all its enshittified shit. I could give up things that are still super useful and I get value from every day: YouTube, Gmail, Play Services, Drive, Maps. But I don't think I could give them all up at once. I've been trying to migrate to Proton and OpenStreetMap and some kind of real Linux phone etc, I don't even mind if I have to fiddle around before everything works. The trouble is that the claws are in, but they're not in me.
Remember when Google proudly didn't advertise themselves? They got to critical mass through word of mouth, from having a compellingly better product. Now what they have is network effects and locking. They used to appeal to developers and techies because and that ended up making the services better for everyone. Now like all the other tech giants they have PHB's optimizing for the next millisecond of attention and Microdollar of ad revenue from a lowest-common-denominator victim.
Google is so big that it's a significant part of life for a significant proportion of the world. When Google is shit it moves the needle on net human suffering. I think the UN should be focussing on prevent war and trying to salvage our environment, but if they aren't going to do that then it might be rational to just form a worldwide consumer group to take on megacorps.
meindnoch
+1 for Google Reader
That marks my coming of age on the enshittified web. The killing of Google Reader was a watershed moment. It marks the moment in time when the tide turned from the open Web to closed social media gardens.
highcountess
[dead]
ramon156
Side note, what is that reference from? Searching "i rely on the spacebar to heat up my computer" directs me back to this comment (6 mins ago).
croisillon
you're one of today's lucky 10,000
cfreksen
It is a reference to the following XKCD comic: https://xkcd.com/1172/
null
null
null
null
vladms
I would challenge you to give me examples where security feels "real" and how does that help.
Most software products rely on very complex software stacks, and if you trust 100% all the libraries and the OS you use I would say it's a wrong mindset. There were bugs even in the processor (meltdown). Security is a continuous battle and you never know if you won, only (sometimes) if you loose.
tialaramex
You can tell security is real the same way as lots of other things, reality doesn't give a fuck. Like how you can tell the difference between man's laws (e.g. "The Offside Rule" or "Constitutional Rights") and Mother Nature's laws (e.g. Thermodynamics). Try it, kick the ball even though the rule says you mustn't - if you get lucky the referee doesn't notice and play continues. But if you try to make a system more ordered without expending energy it does not work. Reality doesn't give a fuck.
When I breeze through your login process with the wrong credentials that's because your security was fake, if it was real that would break because it didn't know who I was, so if some bug lets me past login I don't somehow successfully log in as me, I'm logging in as nobody at all which is clearly nonsense.
This is "Make Invalid States Unrepresentable" at scale, and it's difficult to do, but not impossible.
hkwerf
You're essentially suggesting a Drake equation [1] equivalent for the number of security vulnerabilities based on NLoC. What other factors would be part of this equation?
CSMastermind
Language or framework definitely plays a role (isn't that what the Rust people are so excited about). Maybe say like the materials/tools used.
There's definitely some measure of complexity. I still like simple cyclomatic but I know there are better ones out there that try to capture the cognitive load of understanding the code.
The attack surface of the system is definitely important. The more ways that more people have to interface with the code, the more likely it is that there will be a mistake.
Security practices need to be captured in some way (maybe a factor that gets applied). If you have vulnerability scanning enabled that's going to catch some percentage of bugs. So will static analysis, code reviews, etc.
maximus-decimus
How close to the Balmer peak the programmer was when he wrote the code.
bobnamob
Correlated or inversely correlated?
zwnow
The point is: security is fake. No app is truly secure. You can spend millions on app security and all it takes to breach that is one slip up of a human user.
TheDong
I'd take away "security is complicated and multi-faceted", not "fake".
It's not a black and white of "an app is truly secure" or "an app is truly insecure", but rather a continuum from "secure enough in practice for this threat model and purpose" to "an insecure mess".
Like, plenty of websites and apps have launched, existed for years, and then shutdown without a single security incident. In those cases, surely the app was secure, right? At least secure enough? Signal so far has been "secure enough in practice" for most people, while iMessage has in practice been "secure enough if you're a normal person, but with serious security issues for anyone who might be subject to serious targeted attacks"
Say more about what you mean by "no app is truly secure"? Especially in the context of signal?
zwnow
Im just saying that all it takes is one employee to click onto the wrong URL to breach your apps security. I am not talking about the app itself. You can have all the security implemented the world has to offer and yet you cant get rid of human errors.
robin_reala
I’d misunderstood the title to refer to $10k of GPU compute or something like that. Unfortunately I suspect there’ll be tens or hundreds of occurrences of this bug given that they just picked one old Google product and immediately found a hole.
SXX
> given that they just picked one old Google product and immediately found a hole.
This is just not how it works. Most likely author spent weeks or months digging into different products until he found something worthville.
saretup
I misunderstood it to mean they are selling any YouTuber’s email address for $10k
ouraf
Nice catch! And finding a vulnerability on such a high profile service will look very nice on the resume.
Congrats!
swyx
i'd really like a way to email a youtube channel owner though. even if sits in a youtube inbox for a year. most of them don't have email contacts and its hard to reach out for sponsorship or any other deals.
williamscales
A long long time ago...in an internet far away...
YouTube used to have DMs so you could do this. I don't remember exactly when it was removed. Probably late aughts.
I found this title confusing. For those who didn't make it toward the end of the article: the leaked emails didn't cost them anything (except their time and ingenuity), and they received 10k as the bug bounty.