How I was able to see likes and dislikes count even though is hidden by victim | YouTube #1

Steps to reproduce:

Victim:
1. Upload video.
2. Edit video.
3. Show how many viewers like and dislike this video ---> Don't show how many viewers like and dislike this video.
4. Save.

Attacker:
1. Go to YouTube Studio ---> Customization ---> Layout.
2. Add featured video for returning subscribers.
3. Any video on YouTube: https://www.youtube.com/watch?v=victim_video_id

    Response:

"metrics": {"viewCount": "victim_video_viewCount", "commentCount": "victim_video_commentCount", "likeCount": "victim_video_likeCount", "dislikeCount": "victim_video_dislikeCount"}

Will show the likes and dislikes count even though is hidden by victim.

PoC video: https://youtu.be/bVKgoxLbyPc


Timeline:

mm/dd/yyyy

02/09/2021 - Bug Found
02/09/2021 - Submit Report
02/10/2021 - Triaged
    Priority: P4 - P3
    Status: New - Assigned
02/20/2021 - 🎉 Nice catch!
    Status: Assigned - Accepted
    Severity: S4 - S2
    Priority: P3 - P2
    Type: Customer Issue - Bug
02/26/2021 - Bounty awarded by Google VRP.
03/26/2021 - Fixed

LinkedIn: Alessandro Rumampuk
YouTube: R,ando
Facebook: Ando
Twitter: R ando

Comments

New comments are not allowed.