🧠 Quick Summary
In this post, I explain how I discovered a severe authorization bypass vulnerability in YouTube’s internal tool, Video Builder (https://director.youtube.com). This tool allows advertisers to easily create and upload video ads to their YouTube channels.
Due to a missing authorization check in the backend, any user with access to this tool could upload a video to any YouTube channel by simply modifying the channelId parameter in a specific request. This meant that attackers could target any verified or influential YouTube channel and upload content without their permission.
Google acknowledged the vulnerability, resolved it quickly, and awarded me $6,337 under their Google Vulnerability Reward Program (VRP).
YouTube Video Builder is a lightweight video creation tool for businesses and advertisers. It helps create short promotional videos (typically 6–15 seconds) using static assets like logos, images, and text animations.
Key features:
- Templates for quick video generation
- Brand customization options
- Direct integration for uploading to a connected YouTube channel
The tool is available only via invitation or request, making it relatively unknown to the public.
I gained access to YouTube Video Builder via my Google Ads account. Once inside, I explored the video creation flow.
I selected a template, added sample brand assets (logo, image, and tagline), and moved through the creation steps.
During the final step (video upload), I clicked “Save Video” and intercepted the outgoing request using Burp Suite.
Endpoint:
POST https://director.youtube.com/videobuilder/_/rpc/Image2VideoUiService/UploadToYouTubeOriginal payload:
{
"channelId": "UCabc123xyz...",
"videoTitle": "Aditya Test Video",
"videoPrivacy": "unlisted",
...
}I had a simple but powerful thought:
“What if I change the
channelIdto a channel I don't own?"
I extracted a public YouTube channel ID (easily available from any channel URL).
I modified the payload to include a different channelId:
{
"channelId": "UCnOtMyChAnNeL123",
"videoTitle": "Test Attack Video",
...
}I resent the request.
The server responded successfully and returned:
{
"videoId": "dEfaUlTxXyZ123"
}This meant my video had been uploaded to the targeted channel without any form of authorization. The video was set to “unlisted” and visible to anyone with the link.
This bug could allow:
- Uploading defaming or malicious videos to any channel
- Damaging brand reputation or spreading misinformation
- Targeting high-profile influencers, businesses, or even political accounts
For example:
An attacker could upload a scam video to a verified channel and promote it using that channel’s reputation.
Although the video would be unlisted, it would still be accessible to the channel owner and anyone with the video link.
🔍 Root Cause Analysis
The vulnerability stemmed from a classic IDOR (Insecure Direct Object Reference) issue.
The backend did not validate whether the user making the upload request was authorized to use the provided channelId.
The server should verify that the authenticated user actually manages or owns the YouTube channel associated with the provided channelId.
- Strict Backend Authorization
- Validate ownership of
channelIdon the server side.
- Don’t Trust Client-Side Inputs
- Never rely on client-submitted values for sensitive identifiers.
- Regular Security Audits of Internal Tools
- Internal or invite-only tools must go through the same security checks as public-facing services.
- Accessed YouTube Video Builder via Google Ads
- Created a sample ad video
- Intercepted final upload request
- Replaced
channelIdwith that of a public channel - Sent the request
- Server responded with a valid
videoId— upload successful
This bug was simple in execution but had the potential for massive impact. It showed how trusting frontend data, even in internal tools, can lead to critical authorization issues.
- Always validate ownership and access at the backend
- Frontend controls are never enough
- Even restricted tools can have dangerous flaws
Aditya Sunny
Bug Bounty Hunter | Security Heroes Honoree
Reported to: Meta, Google, Dell, Bajaj Finserv
📷 Instagram: @hackerdiary100
📝 Medium blog: