科技回声

13 条评论

taldo超过 4 年前

$1,337 for watch history + liked videos + watch later disclosure? Requires user to visit a malicious site, yes, but still feels a bit skimpy.

评论 #25824747 未加载

评论 #25826245 未加载

评论 #25824374 未加载

评论 #25829830 未加载

评论 #25827416 未加载

评论 #25826902 未加载

neetodavid超过 4 年前

Its too bad (in a way...) they couldn't get private video IDs to leak. It would have made an impressive combination with their bug posted earlier this month (Stealing Your Private Youtube Videos, One Frame at a Time <a href="https://news.ycombinator.com/item?id=25728175" rel="nofollow">https://news.ycombinator.com/item?id=25728175</a>)<p>Speaking of... do security researchers sometimes just sit on their discoveries in hopes that they will eventually lead to a bigger payout? I would be kicking myself if I had reported a bug for a relatively small reward that I could have leveraged in combination with another discovery

grishka超过 4 年前

Yet another example of why the whole concept of third-party cookies does much more evil than good. Yet all major browsers keep them enabled by default.

ummonk超过 4 年前

This was an extremely serious privacy issue, and it's shocking that they'd only award $1,337 for a bug of this scope.

pcthrowaway超过 4 年前

I honestly feel like Google's award in this case is pathetic. This is an exploit which would be worth 100s of thousands, if not millions to the wrong people.

评论 #25827286 未加载

评论 #25827944 未加载

AbuAssar超过 4 年前

That’s why I don’t browse the web while logged in google/fb/twitter. As I keep them in separated firefox containers

评论 #25824896 未加载

gverrilla超过 4 年前

doesn't google employ the elite of world programming? how can such stuff even happen? honest question.

评论 #25824570 未加载

评论 #25824818 未加载

评论 #25825001 未加载

评论 #25824972 未加载

评论 #25824539 未加载

评论 #25824677 未加载

评论 #25824736 未加载

评论 #25824647 未加载

评论 #25830766 未加载

评论 #25824686 未加载

评论 #25825035 未加载

intricatedetail超过 4 年前

Companies should stop exploiting developers. Instead of erecting another sky scraper they should start paying the fair share.

buo超过 4 年前

My understanding is that the javascript in a web page executes in the client. How can the page owner obtain the video lists?

评论 #25828175 未加载

anonymousiam超过 4 年前

I can see why Google might want to downplay this. Partner websites could obtain the history info directly from users and Google would not need to disclose the data sharing. I'm sure the watchlists/history would be valuable tools for profiling and advertising purposes.

djrogers超过 4 年前

This is a bad link, not sure how it got upvoted when following it fails (there’s a trailing . after the domain). That’s kinda fishy...<p>Correct link should be <a href="https://bugs.xdavidhu.me/google/2021/01/18/the-embedded-youtube-player-told-me-what-you-were-watching-and-more/" rel="nofollow">https://bugs.xdavidhu.me/google/2021/01/18/the-embedded-yout...</a>

评论 #25823979 未加载

评论 #25823953 未加载

评论 #25823956 未加载

评论 #25823972 未加载

评论 #25824027 未加载

kkotak超过 4 年前

He lost me at - Forgot to eat Pizza.

layer8超过 4 年前

EDIT: never mind<p>Should probably be (2019), as the bug has been fixed since (as noted at the bottom of TFA).

评论 #25824189 未加载

评论 #25824788 未加载

13 条评论

taldo超过 4 年前

$1,337 for watch history + liked videos + watch later disclosure? Requires user to visit a malicious site, yes, but still feels a bit skimpy.

评论 #25824747 未加载

评论 #25826245 未加载

评论 #25824374 未加载

评论 #25829830 未加载

评论 #25827416 未加载

评论 #25826902 未加载

neetodavid超过 4 年前

grishka超过 4 年前

Yet another example of why the whole concept of third-party cookies does much more evil than good. Yet all major browsers keep them enabled by default.

ummonk超过 4 年前

This was an extremely serious privacy issue, and it's shocking that they'd only award $1,337 for a bug of this scope.

pcthrowaway超过 4 年前

I honestly feel like Google's award in this case is pathetic. This is an exploit which would be worth 100s of thousands, if not millions to the wrong people.

评论 #25827286 未加载

评论 #25827944 未加载

AbuAssar超过 4 年前

That’s why I don’t browse the web while logged in google/fb/twitter. As I keep them in separated firefox containers

评论 #25824896 未加载

gverrilla超过 4 年前

doesn't google employ the elite of world programming? how can such stuff even happen? honest question.

评论 #25824570 未加载

评论 #25824818 未加载

评论 #25825001 未加载

评论 #25824972 未加载

评论 #25824539 未加载

评论 #25824677 未加载

评论 #25824736 未加载

评论 #25824647 未加载

评论 #25830766 未加载

评论 #25824686 未加载

评论 #25825035 未加载

intricatedetail超过 4 年前

Companies should stop exploiting developers. Instead of erecting another sky scraper they should start paying the fair share.

buo超过 4 年前

My understanding is that the javascript in a web page executes in the client. How can the page owner obtain the video lists?

评论 #25828175 未加载

anonymousiam超过 4 年前

djrogers超过 4 年前

评论 #25823979 未加载

评论 #25823953 未加载

评论 #25823956 未加载

评论 #25823972 未加载

评论 #25824027 未加载

kkotak超过 4 年前

He lost me at - Forgot to eat Pizza.

layer8超过 4 年前

EDIT: never mind<p>Should probably be (2019), as the bug has been fixed since (as noted at the bottom of TFA).

评论 #25824189 未加载

评论 #25824788 未加载

The embedded YouTube player told me what you were watching

13 条评论

The embedded YouTube player told me what you were watching

13 条评论