How a $20,000 Bug Was Hidden Inside YouTube’s API — A Bug Bounty Review

medium.com · Vivek PS · 15 days ago · research
quality 7/10 · good
0 net
Tags
bug-bounty
How a $20,000 Bug Was Hidden Inside YouTube's API — A Bug Bounty Review | by Vivek PS - Freedium Milestone: 20GB Reached We’ve reached 20GB of stored data — thank you for helping us grow! Patreon Ko-fi Liberapay Close < Go to the original How a $20,000 Bug Was Hidden Inside YouTube's API — A Bug Bounty Review Note: This is a review and narrative of a bug bounty write-up originally published by BruteCat. Full credit goes to the original… Vivek PS Follow ~6 min read · March 26, 2026 (Updated: March 26, 2026) · Free: No Note: This is a review and narrative of a bug bounty write-up originally published by BruteCat. Full credit goes to the original researcher. Original article: https://brutecat.com/articles/youtube-creator-emails Free Link Some bug bounty findings make you go "wow, that's clever." This one made me stop and re-read the entire chain three times. BruteCat's disclosure — "Disclosing YouTube Creator Emails for a $20k Bounty" — is one of those rare write-ups where every step of the exploit chain is genuinely creative, and the final impact is surprisingly real. Let me walk you through it. Step 1: Teaching Yourself the Shape of a Private API The whole thing starts with a fascinating observation about how Google's APIs handle malformed requests. BruteCat noticed that if you send a request to a YouTube API endpoint with the wrong parameter type, the server helpfully returns an error message that reveals the internal parameter name. For example, if you pass an integer instead of a string for the browseId field, YouTube's API returns: "Invalid value at 'browse_id' (TYPE_STRING), 1". That single error message tells you the internal proto field name and type. Now here is where it gets clever. YouTube's API also supports a lesser-known format called ProtoJson (Content-Type: application/json+protobuf). In this format, you can pass values positionally as an array instead of by name. So by sending an array of integers like [1,2,3,…30], every single field gets the wrong type simultaneously — and the error response leaks ALL the field names and types in one shot. This technique gave BruteCat a full proto schema of YouTube's internal API — without any official documentation. That's pure recon gold. Step 2: The Endpoint That Looked Secure Armed with this schema knowledge, BruteCat focused on the YouTube Studio endpoint used by the "Earn" tab: /youtubei/v1/creator/get_creator_channels. This endpoint is supposed to let you fetch your own channel's monetization metadata. It uses a "mask" system to control which fields you can access. The interesting part? You can query OTHER channels using this endpoint. But if you tried requesting any sensitive masks (fields) for a channel you don't own, the API returned a clean 403 Permission Denied. It looked airtight. The security seemed solid… until BruteCat ran the proto schema dump on this endpoint too. Step 3: The Hidden Parameter The schema dump revealed two hidden boolean parameters on this endpoint that weren't in any documentation: criticalRead and includeSuspended. criticalRead did nothing interesting. But includeSuspended? That unlocked a completely different response — it leaked the channel's contentOwnerAssociation object, which included a Content Owner ID tied to YouTube's internal Content ID system. Step 4: The Content ID Rabbit Hole Here's where you need to know a bit of YouTube history. YouTube has a system called Content ID, which lets major rights holders (music labels, studios) automatically claim or monetize any video that uses their content. Regular YouTube Partner Program (YPP) creators don't get full Content ID access, but YouTube secretly creates an IVP (Individual Video Partnership) Content Owner account for every monetized channel behind the scenes. This internal account is used for the Copyright Match Tool — the simpler creator-facing version of Content ID. The includeSuspended parameter was leaking this IVP Content Owner ID. Now BruteCat had the Content Owner ID for any monetized channel. The question became: what can you do with it? Step 5: Turning a Content Owner ID Into an Email Address BruteCat discovered the YouTube Content ID API — a separate, partner-only API at developers.google.com/youtube/partner. The contentOwners.list endpoint accepts a Content Owner ID and returns the channel's "conflict notification email" — the email address on file when the channel was originally monetized. The catch? You needed a Content Manager account to call this API. Regular accounts got a 403 Forbidden. But here's the twist BruteCat spotted: even though the API was supposed to be restricted to full Content Manager accounts, the IVP accounts (the ones auto-created for every monetized channel) ALSO worked. A friend with a monetized channel tested it in the API explorer, and it worked perfectly. The email came back in the response. The Full Attack Chain Here's how it all fits together in practice: 1. Call /youtubei/v1/creator/get_creator_channels with the target channel ID and includeSuspended: true 2. Extract the contentOwnerAssociation.externalContentOwnerId from the response 3. Use the YouTube Content ID API Explorer (with any monetized Google account) to call contentOwners.list with that ID 4. Receive the target channel's email address in the conflictNotificationEmail field Any YouTube creator with a monetized channel (all 3 million+ of them) was vulnerable. Anyone with their own monetized channel could pull the private email of any other monetized creator. The Bounty: $20,000 BruteCat reported this to Google on December 12, 2024. It was triaged within 4 days and Google responded with an enthusiastic acknowledgment. The initial award was $13,337 — classified under "Normal Google Applications" with the category "bypass of significant security controls." BruteCat then pointed out that studio.youtube.com and youtube.com are both Tier 1 domains under Google's VRP policy, which qualify for higher reward levels. Google agreed and added an additional $6,663 — bringing the total to exactly $20,000. The bug was patched on February 21, 2025–71 days after the initial report. Google also sent VRP swag. The full disclosure was published on March 13, 2025. What I Take Away From This As someone who actively hunts bugs and reads as many write-ups as I can, this one stands out for several reasons. Error messages are data. The entire entry point here was using debug/error messages to reverse-engineer an undocumented API schema. This is something we often overlook in recon. Next time you get a 400 error, read it carefully. 2. Hidden parameters are a real attack surface. Developers add debug flags, internal parameters, and feature toggles to APIs all the time. They just don't document them. The ProtoJson trick BruteCat used is a brilliant systematic approach to surfacing these. 3. Know the program's scope inside out. BruteCat knew Google's VRP tier structure well enough to challenge the initial $13k award and push it to $20k. Knowing your target's rules is as important as knowing their code. 4. Cross-API chaining is underrated. The vulnerability wasn't in one place — it was the combination of a hidden parameter in one API and a poorly access-controlled endpoint in a completely separate API. Most hunters look at one endpoint at a time. BruteCat connected dots across two entirely different APIs and systems. Final Thoughts This is one of the best bug bounty write-ups I've read this year. Not because the impact is earth-shattering — leaking emails is not account takeover — but because the methodology is so clean and teachable. BruteCat didn't find a zero-day. They found a way to read the API's own internal blueprint, then followed the data to its logical conclusion across two systems that were never supposed to interact this way. The $20,000 reward is well deserved. More importantly, the technique of using ProtoJson type-confusion to dump hidden API fields is something every serious API security researcher should have in their toolkit now. Go read the full original write-up at https://brutecat.com/articles/youtube-creator-emails — it's worth every minute. Enjoyed this breakdown? I write about real-world bug bounty stories, hacker thinking, and web security vulnerabilities in my book — Inside the Hacker's Mind. It covers the mindset, methodologies, and real bug bounty case studies that most security courses never teach. If you're serious about bug bounty hunting, this is the kind of resource that fills the gap between theory and actual findings. Get your copy here → Inside the Hacker's Mind on Gumroad #cybersecurity #ethical-hacking #programming #bug-bounty #artificial-intelligence Reporting a Problem Sometimes we have problems displaying some Medium posts. If you have a problem that some images aren't loading - try using VPN. Probably you have problem with access to Medium CDN (or fucking Cloudflare's bot detection algorithms are blocking you).
← Back to stories