Comment by lolinder
2 months ago
> This exploit could have been used to create a massive near-complete database of every Google account has automatically had a Youtube account created.
Massive email databases are extremely cheap, often free. For this vulnerability to be worth more than $10k there would have to be something about it being a near-complete library of Google accounts (rather than just another massive mailing list).
And that's assuming the prospective buyer believed that they could exploit this vulnerability in full before discovery. If I'm reading this exploit right, each email recovered requires two requests, one of which needs to make one of the fields 2.5 million characters long in order to error out the notification email sent to the victim. Presumably that email sending error would show up in a log somewhere, so the prospective attacker would have to send billions of requests fast enough that Google can't block them as suspicious or patch the vulnerability, all the while knowing full well that they're filling up an error log somewhere and leaving an extremely suspicious pattern of megabyte-sized request bodies on a route that normally doesn't even reach kilobytes.
I'm honestly not seeing how you could make an email list out of this that is anywhere near complete, and even if you could I'm not sure where the value to it would be.
>Massive email databases are extremely cheap, often free
There are different qualities of email databases. "Known real email by Youtube account holders" would be a high value database. Definitely not free.
This type of vulnerability is extremely valuable for private investigators, too. "Who uploaded this video which my client is extremely interested in?"
>This type of vulnerability is extremely valuable for private investigators, too. "Who uploaded this video which my client is extremely interested in?"
Would exploiting this vulnerability violate the Computer Fraud and Abuse Act? If so, would a private investigator really want to do that?
The CFAA is so broad that it's really for the prosecutor to decide you're evil hacker and go after you, even if you didn't do anything bad. Like use view source in a web browser. A PI works around legally grey things anyway, what's the CFAA on top of that?
https://www.stltoday.com/news/local/government-politics/pars...
Sure but did you read the rest of the post you're replying to?
That database only exists in theory, based on extrapolation of this vulnerability to billions of individual exploits, and I think we can all agree that Google would detect this activity and shut it down.
Hence, that database might fetch a decent price if it existed, but it doesn't.