• Leaking Request Parameters: Discovered it's possible to leak all request parameters in Google API endpoints by sending a request with a wrong parameter type. For example, in a /youtubei/v1/browse request, sending browseId as a number instead of a string like "UCX6OQ3DkcsbYNE6H8uQQuVA" returns debug information about that parameter. Also, YouTube's API supports ProtoJson format where parameter values can be specified in an array, allowing to provide the wrong parameter type and leak information about the entire request payload. Wrote a tool called req2proto to automate this process.
• A seemingly secure endpoint: In YouTube Studio, the /youtubei/v1/creator/get_creator_channels endpoint is used to fetch channel data. It seems secure as only a few masks are allowed by default, and requesting other masks results in a Permission denied error. But by dumping the request payload with req2proto, two secret hidden parameters criticalRead and includeSuspended were found. Enabling includeSuspended leaked the channel's contentOwnerAssociation.
• Content ID and IVP Content Owner: YouTube has a special account called Content Manager for trusted rightsholders. There's also a watered-down version called Copyright Match Tool for monetized creators. When a channel gets monetized, a CONTENT_OWNER_TYPE_IVP content owner account is created. Using the YouTube Content ID API, it was found that an IVP Content Owner can be used to fetch the conflict notification email of another channel.
• Putting the attack together: The attack involves fetching /get_creator_channels with includeSuspended: true to leak the victim's IVP Content Owner ID, then using the Content ID API Explorer with a Google account tied to a monetized channel to get the conflict notification email. The attack timeline includes reporting to the vendor, triaging, awarding, and confirming issue fix.
• Additional notes: The includeSuspended parameter could've been found from the InnerTube discovery document. To bypass the block on GET requests to youtubei.googleapis.com, a POST request with X-Http-Method-Override: GET can be sent. Both the prod and staging discovery documents have since been removed.