Comment by Cpoll
2 months ago
> because $10,000 feels extraordinarily high for a server-side web bug.
Am I misunderstanding the bug? In my reading, this bug translates to "a list of the top 1,000 Youtube accounts' email addresses (or as many as you can get until Google detects it and shuts it down)." Why isn't that conceivably worth more than $10,000?
Perhaps because email addresses are kinda/sorta PII (business emails are categorically not) but not quite comparable to home addresses, tax/payment information, etc..
Our emails get leaked all the time in data breaches, sometimes alongside much more important information such as home addresses etc..
This was certainly a bad leak that could be used to further dox people by connecting the email to other leaked info or other sources, but from Google's perspective, all they did was leak the email.
It was a privacy breach for sure.
But further doxxing based on the email would be "not their problem" I suspect they would say.
Why isn't that conceivably worth more than $10,000?
As explained by the parent comment, because there isn't a market for it. It's a novelty. Who are you going to sell that exploit to? At this time, nobody. Since Google doesn't have to compete against others for the bug, it pays low.
To clarify, I'm not suggesting selling the exploit. I'm suggesting selling MrBeast, PewDiePie, Blackpink, Sony Music, etc.'s Youtube email addresses. To phishing rings.
Those may be non-public email addresses (admin/billing emails), so the phishing potential is higher than emailing prteam@mrbeast.com (or whatever).
I`ll suggest you want the bottom 1000 as they are most likely to fall for a scam.
Oh darn, my youtube email was leaked... It certainly stinks that mybusinessname@gmail.com is now known to the world...
There's certainly bad things that CAN be done to a number of people with information when it's a personal email address that's used for numerous purposes... but the 3 people I talked to about having youtube (or any streaming) accounts all have mentioned it as being a separate account.
So the only threat I can see in most cases is just better phishing attempts, which is not necessarily an easy money maker... Unless they can steal the entire account? It is impossible to get support from Google, so it's quite possible you could change the bank info and get a month or two of payments before someone gets in the loop to stop it... and realistically, the more money someone is making on YouTube, the less likely they have troubles contacting someone at Google by some side channel... and the less likely it's a personal email address that reaches the actual star of the channel.. so the more popular the person, the less valuable the email address
Increasing the ease of phishing the top 1000 YouTube accounts seems like a pretty serious threat to me.
But as I tried to highlight, the more valuable the YouTube account, the more likely they actually have an account manager at Google. Additionally, they probably have staff, and it's not actually the "star" that you would be emailing... Once you gain access to their YouTube account, what could you actually do to harm them? Upload a video that encourages somebody to go to a website and do a thing? It would probably get reported fairly quickly.. and it probably wouldn't look like a normal video for that channel, so it might stand out... It's just a very weird attack vector that is more easily achieved without spending lots of money to unmask email addresses. The fake Elon Musk profiles/accounts pushing watches or telling people to buy crypto are infinitely cheaper and probably more effective.. you could just make an account that pretends to be the person you're trying to scam and make comments on their videos
I think a simple way to think of it is: how much would an adversarial nation state buy this exploit for?
I just don't think Russia would be willing to pay $100,000 to get Mr. Beast's email address, even if that sounds tempting to you.
Why a nation state? My hypothetical is a phishing ring that sends an official-looking phishing email to 1000 non-public email accounts that typically only get emails from Youtube.
The exploit can be valued at: number of emails * probability that you'll phish them into letting you in * value of posting a "Free Robux" scam on a channel with 100M subscribers.
Who are you advertising to? What is the risk of getting caught or getting scammed back while trying to receive your payment?
I feel like you are just taking into account the theoretical max value of a bad actor having these accounts, not the cost/risk of using this knowledge.
I could have the master key of a bank safe with 100MM worth of gold in the basement, but it's value is going to be nowhere near that, even to bad actors.
Yea. Especially with AI, easy access to identities of email users makes it so much easier to scam on a massive scale.
Sure, they'd probably be more interested in political dissidents.
The majority of the top 1000 YouTube accounts will actually have an email address publicly available, as they are a business and they want people to be able to reach out to them for sponsorships or brand collaborations.
For example, MrBeast has this in the video description:
> For any questions or inquiries regarding this video, please reach out to chucky@mrbeastbusiness.com
The vulnerability here is that you can find the exact email address tied to their YouTube account, which you can't really do anything with if they have strong passwords and use 2FA.
> Why isn't that conceivably worth more than $10,000?
If it exposed passwords as well then that would be worth a lot more, but a list of email addresses is not the most valuable of things on its own.
Potentially deanonymizing pseudonymous Youtube accounts sounds pretty bad by itself.
> deanonymizing pseudonymous Youtube accounts
But its not, its giving their gmail address which is mostlikely something like mrbeast01@gmail.com
1 reply →
I can see that being worth a lot to a nation state