Comment by mmsc
2 months ago
>Unmasking Google accounts? Could there be a business there? Sure, maybe. Is there one already? Presumably no.
Absolutely, yes. Spam and targeted phishing attacks are in high demand.
My understanding is that it is possible to retrieve every public youtube channel ID, if not also Google Maps/Play reviewers, quite easily. This exploit could have been used to create a massive near-complete database of every Google account has automatically had a Youtube account created.
> This exploit could have been used to create a massive near-complete database of every Google account has automatically had a Youtube account created.
Massive email databases are extremely cheap, often free. For this vulnerability to be worth more than $10k there would have to be something about it being a near-complete library of Google accounts (rather than just another massive mailing list).
And that's assuming the prospective buyer believed that they could exploit this vulnerability in full before discovery. If I'm reading this exploit right, each email recovered requires two requests, one of which needs to make one of the fields 2.5 million characters long in order to error out the notification email sent to the victim. Presumably that email sending error would show up in a log somewhere, so the prospective attacker would have to send billions of requests fast enough that Google can't block them as suspicious or patch the vulnerability, all the while knowing full well that they're filling up an error log somewhere and leaving an extremely suspicious pattern of megabyte-sized request bodies on a route that normally doesn't even reach kilobytes.
I'm honestly not seeing how you could make an email list out of this that is anywhere near complete, and even if you could I'm not sure where the value to it would be.
>Massive email databases are extremely cheap, often free
There are different qualities of email databases. "Known real email by Youtube account holders" would be a high value database. Definitely not free.
This type of vulnerability is extremely valuable for private investigators, too. "Who uploaded this video which my client is extremely interested in?"
>This type of vulnerability is extremely valuable for private investigators, too. "Who uploaded this video which my client is extremely interested in?"
Would exploiting this vulnerability violate the Computer Fraud and Abuse Act? If so, would a private investigator really want to do that?
1 reply →
Sure but did you read the rest of the post you're replying to?
That database only exists in theory, based on extrapolation of this vulnerability to billions of individual exploits, and I think we can all agree that Google would detect this activity and shut it down.
Hence, that database might fetch a decent price if it existed, but it doesn't.
And then what?
Exploits need to plug into a business plan. Like any business plan there has to be somewhere that money gets extracted and that money needs to be more than the exploit cost & infrastructure costs & a risk premium.
If you can’t trivially say how the exploit explicitly gets turned into cash you probably are on the wrong track. Doubly so if it’s not a known standard and commoditized way that’s happened before.
There is often phishing campaigns targeting larger channels on YT, trying to trick someone with access to it into opening malicious e-mail attachments, with the end-goal of taking over the channel. Usually the attackers then put a livestream on it and push some crypto scam. It must make enough money, given that it keeps happening.
Most recent example I've seen: https://www.youtube.com/watch?v=EnVxWK6DfMQ
So then why do they need additional information about emails? They clearly already can email these youtubers.
4 replies →
Say you’re a blackhat OSINTer trying to steal crypto. You have a first initial and a last name for a target (“J. Smith”) - plus you know this person is on github and discord.
You take out your handy email list and run a regex to find candidate accounts that match “J Smith”. You pipe matches into a recon script to check if github and discord accounts exist for each email. Suddenly, you’ve got a small pool of matches. You try more account-existence recon to find all the sites they’re signed up on. You look up all breached creds tied to the target emails, then run cred stuffing against any sensitive services they’ve signed up for.
Boom, you’ve gone from first initial + last name to compromising an account in thirty minutes.
Surely the key part of this is "this person's email address and password has been published online together" rather than "I can identify this person's email address."
It can get turned into cash by the EU when Google gets a massive fine for leaking private data.
> Exploits need to plug into a business plan
Or, you know, develop a new "business plan" around an exploit.
Nobody does this. It would be an insane proposition. The vulnerability is going to die very shortly into your attempt to capitalize on it. Businesses have startup costs they have to pay off.
5 replies →
Even if that did happen, it would drive down the price of the exploit and especially so for server side novel ones.
But then what? Given the number of accounts Google has, odds are that nearly every alphanumeric combo less than 8 or 10 characters plus “@gmail.com” is a google account. This vulnerability gets you other domains, but still not seeing it. Massive databases of email addresses are a dime a dozen.
The only angle I can imagine is phishing for high profile creators, and at most this is a “makes it easier” and not a “creates the problem” bug.
You could target accounts of users likely to be younger & more susceptible to phishing for passwords-- kids subscribed to channels with younger content. Or other interest-based targeting. It's not quite spear phishing, but still more targeted.
The back of an envelope can get you making silly claims quickly (ex. 26 ^ 8 is 208 billion)
I think you might be off by a factor of 10. Alphanumeric would be at least 36 characters, which would imply 2.8 trillion combininations (36 ^ 8).
1 reply →
Not seeing the problem. Are you assuming that somehow there is at most one Gmail account per person on earth?
I have… I’m not sure. Ten maybe? And those are actual conveniences for different purposes. I’m sure plenty of people have hundreds, if not thousands. So what?
1 reply →
Honestly, that leaves straight up harassment of YouTubers by other YouTubers and fans off the table which by itself would motivate a few of them. Some of the same people who play in the black and grey hat worlds are the same people buying DDOS attacks and swatting streamers. They would have a party with their emails.
> which by itself would motivate a few of them
Motivation in the abstract is not enough to counter GP's point—they have to have enough motivation that it's worth more than $10,000 to them and also have more than $10,000 to spend and also have the connections necessary to get in touch with someone who's able to sell a vulnerability like this and also be able to exploit it in a timely manner or at least think they can.
Or be a black hat. An incredibly common hat.
Draw up a straw-man business plan for this, with SWAG numbers.
The motivation isn't financial but the impact to some of Google's biggest earners would be significant. Never mind the PR when Mr Beast and SSSniperwolf's personal details leak online.
3 replies →