Google didn't Care a YouTube Bug that Makes Private, Paid, Scheduled or Deleted Videos Available to Watch

Google didn't care about the bug, so I think it's okay for everyone to know. Here is a YouTube bug that makes private, paid, scheduled or deleted videos available to watch, which Google didn't care. Let's start the story, and I'll show you, in the end, how to reproduce the bug using just a browser, along with a video I captured as proof.


Table of Contents

How I Came Across the Bug

I was watching a live stream on YouTube a few days ago. The owner of the channel conducts live streams publicly, and after the stream, he shares the recording as a paid video, which is only available to members. Which means you are not supposed to watch as a normal user. 

Back then, while I was watching the stream, I got bored and opened a new tab, continuing to stroll around the Internet. A few hours later, I realized the live stream tab was still open. I tried to start the live stream, which I was not supposed to be able to watch since the stream had ended and was shared only with members. And it shocked me that I could watch the stream. I thought it might be caching, but I checked it and found out that it was downloading, so the premium content wall is bypessed by itself. I quickly opened a new tab with the same URL and received the error message: 'Members-only content. Join this channel to get access to members-only content like this video and other exclusive perks.

Then, I Contacted Google and the message was ironic

I found Google's Bug Bounty program and sent all details. I know it is not a severe bug as much as RCE, SQLI, XSS etc but the bug is still a bug that needs to be solved.

The message from Google;

Hi! We've reviewed your submission and decided not to track it as a security bug. In addition, your report will not be accepted to our VRP.

Why? Only first reports of technical security vulnerabilities that substantially affect the confidentiality or integrity of our users' data are in scope, and we feel the issue you reported does not meet that bar :(.

Thanks for understanding,
The Google Bug Hunter Team

Possible Several Harmful Consequences (by ChatGPT)

  1. Privacy Violation: Private videos are intended to be viewable only by those with whom the video owner shares a specific link or invitation. Exploiting this bug could lead to the exposure of personal or sensitive content that was meant to be private.

  2. Loss of Revenue: For paid content or scheduled premieres, creators rely on viewers paying for access or watching during a specific time. If unauthorized viewers can access this content for free, it can lead to financial losses for content creators.

  3. Content Theft: If deleted videos can still be viewed through this bug, it could enable the unauthorized copying or downloading of content that the creator intended to remove from the platform.

Steps to reproduce

  1.  First, upload a video to YouTube, and then choose either public or unlisted visibility.
  2. Open the video in another tab. It can be in incognito mode.
  3. While watching, change the visibility of the video to private, scheduled, or paid. (don't close the video tab)
  4. As you can see, although you don't have permission to watch the video (as it is private, scheduled, or paid) you are still able to watch.
  5. Furthermore, even if the video is deleted , you are still able to watch the video since you don't close the tab.

Briefly, do not close the tab.

The Proof Video

If you wonder how it seems, you can watch the video.