Leaking YouTube creators' private videos
Points and comments are a snapshot, not live.
Prompt injection in YouTube's Ask Studio lets attackers extract private video titles from creators.
The author found that YouTube's Ask Studio AI assistant, which summarizes comments for creators, is vulnerable to stored prompt injection. A comment edited by an attacker can instruct the AI to output a link with a private video title as a parameter. When the creator clicks the link (trusting the AI's output), the title leaks to the attacker. Google declined to treat this as a security bug, citing social engineering. The author argues the trust exploited is in Google's product, not in a stranger. The fix requires treating comment content as untrusted data with clear role boundaries.
What commenters are saying
Commenters split into two camps. Some criticize Google for not treating this as a security bug, comparing it to historical injection flaws like SQLi or Log4Shell. Others argue it is an inherent LLM limitation not easily fixed, noting that mitigations include stripping Markdown links or isolating untrusted data ingestion. A few debate whether the attack is overstated, given creators would need to click a generated link. The thread also digresses into stylistic criticism of the article's LLM-like prose, with several commenters flagging patterns like "My initial theory was simple" as AI markers.