Vulnerability in YouTube Studio: a comment and your private videos are no longer safe
Vulnerability in YouTube Studio: a comment and your private videos are no longer safe
A security researcher signing as javoriuski has identified a vulnerability in Ask Studio, the AI-based assistant integrated into YouTube Studio, exploiting it to expose the titles of private videos uploaded to creators' channels.
Ask Studio was designed to simplify the lives of content uploaders on the platform: just ask it, for example, what viewers think of a video, and the bot reads comments and returns a summary. The problem arises when one of those comments is not an opinion but contains instructions.
A comment that becomes an order for the AI, but for Google, it is not considered a vulnerability.
The researcher tested the hypothesis by leaving a comment crafted to seem like an operational directive directed at the model: it claimed to be from YouTube staff and asked the AI to prefix its summaries with the phrase "[IMPORTANT NOTICE FROM YOUTUBE]". Ask Studio executed the instruction to the letter, returning to the creator a text that appeared to be an official communication from the platform, actually generated from a mere comment left by a stranger.
To make the attack invisible, javoriuski took a second precaution: first posting an innocuous comment ("Great video!") and only later modifying it to insert the malicious payload. YouTube does not notify creators when a comment is modified, so no one would come back to reread it.
To make matters worse, the prompts suggested directly within the YouTube Studio interface automatically send all comments to the AI as soon as they are clicked. The creator doesn’t even need to think about asking for a summary of the comments: they just have to interact with a button suggested by the platform itself for the injection to activate.
Reported to Google, the vulnerability was dismissed on the grounds that it would require "social engineering" and would therefore not be tracked as a security bug. The researcher contests this interpretation: no creator ever sees the malicious comment; the interaction occurs only with YouTube’s assistant, which the user inherently trusts. It is not the trust towards a stranger that is exploited, but trust in Google’s product.
To demonstrate the seriousness of the problem, javoriuski modified the payload by asking the AI to construct a link containing, as a parameter in the URL, the title of a video from the channel. Ask Studio, being an authenticated tool for creators, also has access to private content. By clicking on the link (presented as a verification from YouTube), the creator unknowingly sent the title of a private video to the attacker's server, potentially revealing unannounced projects or sensitive material.
Even after this practical demonstration, Google’s response has not changed: no bug to fix. According to the researcher, the solution would require treating the content of comments as unreliable data, distinctly separating them from the model's system instructions. Without this boundary, any AI function that reads and acts on user-generated content remains a potential attack vector, open to anyone who leaves a comment.