top | item 34265451

Tell HN: A stranger is using my YouTube account and Google can't log them out

106 points| PeledYuval | 3 years ago

Hi HN,

I believe Google has a grave authentication issue and I cannot burst the impenetrable tier-1 support wall to solve it. Hopefully I'm wrong, but for the life of me and the support reps I talked to, we cannot get a stranger logged out of my YouTube account.

The stranger is using my YouTube account through my old Smart TV that I gave away (my bad for not logging out, but there should be recourse for this).

Once I discovered this, I have changed passwords and revoked auth tokens on all relevant services (Spotify, Disney+, etc.). All services no longer show the stranger accessing them - with the exception of YouTube.

The actions I've taken multiple times (as instructed by Google support): - Changed my Google account's password - Revoked all "devices I trust" under my 2FA settings - Logged out of all devices in the "Your Devices" list

This did force me to log back in on my own devices (phone, TV), but I still see new videos that the stranger watched in my YouTube history. This has been happening for weeks.

Google support walked me through these steps and then gave generic "make sure your password are strong" article links, but of course, refuse to escalate this.

If you wish, you can view the support transcripts here (I admittedly got a little short during the 2nd conversation, which I regret): https://pastebin.com/GypwBPFj

---

Some details:

- The videos in my view history are in Arabic, so I know it's the stranger who watches them

- I know the stranger has access through my old TV because I saw their activity on all apps I had installed on my TV, and I saw my old TV signed in from a distant city under "Your Devices" list

53 comments

[+] jimrandomh|3 years ago|reply

You shouldn't be telling this to tier-1 support, you should be reporting it through a contact that's labeled as specifically being for reporting security issues affecting Google login, ie https://bughunters.google.com/ . This is a significant security vulnerability because the existence of this TV implies the existence of an API somewhere which the TV has used, which can create revocation-resistant keys.

(I ran into a similar issue with the Oculus/Meta Quest 2 and Facebook login tokens. I reported it as a vulnerability in the Facebook account system and it was fixed eventually.)

[+] sdiacom|3 years ago|reply

Why shouldn't tier-1 support be able to forward this to someone who is the slightest bit technical, who can then make the call to report this to the relevant security team?

There's no reason why tier-1 support has to be this irredeemably useless. Just put someone in the loop who knows when _not_ to blindly follow a script. It really isn't that hard.

[+] switchupcb|3 years ago|reply

I submitted a similar issue regarding Google Drive folders. I don't think submitting this issue will earn OP any money as a "significant security vulnerability": In other words, Google will not consider this a significant security vulnerability.

> While our highest-impact services (e.g., Google Wallet, Gmail) are designed to make cookies expire very shortly after the user logs out, we believe that most potential exploitation vectors for this behavior fall outside the security model of modern browsers and operating systems, and can't be meaningfully mitigated by any single website.

> Check this link for more info: https://sites.google.com/site/bughunteruniversity/nonvuln/co...

Note: The issue I submitted was related to revoking all sessions (authentication) as well.

[+] PeledYuval|3 years ago|reply

Thank you - I will be trying this

[+] japanman425|3 years ago|reply

Not really. It’s just a long lived refresh token. You can revoke the app it’s associated to but OP seems unaware.

[+] saurik|3 years ago|reply

I know this is going to sound ridiculous, but go to this random support forum and try to get ahold of Didi; they seem to have some kind of "in" with the account hijacking team and can get your account moved into a different kind of support queue.

https://support.google.com/youtube/community

[+] creakingstairs|3 years ago|reply

I do find it ridiculous that getting Google support has gotten to a point where people need to post for help on a forum in which they are hinted to go to another community and look for a person who has “in” with a team.

I really should move off Gmail.

[+] PeledYuval|3 years ago|reply

Thanks! This does sound ridiculous, but maybe it will work? Worth a shot

[+] feklest|3 years ago|reply

In Google's OAuth 2.0 for TV and Limited-Input Device Applications page, https://developers.google.com/identity/protocols/oauth2/limi..., it says:

"Note that there are limits on the number of refresh tokens that will be issued; one limit per client/user combination, and another per user across all clients. You should save refresh tokens in long-term storage and continue to use them as long as they remain valid. If your application requests too many refresh tokens, it may run into these limits, in which case older refresh tokens will stop working."

Maybe you could try issuing thousands of OAuth refresh tokens (or more) for your account, in the hope that it will hit some internal limit and automatically revoke the one stored inside that Smart TV?

[+] PeledYuval|3 years ago|reply

I think the risk of getting banned due to misuse is not worth it... But I like your hacker mentality!

[+] pifm_guy|3 years ago|reply

Some services still allow the less sensitive account actions after logging out.

Examples of this are eBay (can still edit cart) and AliExpress (can still see unread messages count).

Perhaps YouTube has decided that appending to the watch history is a sufficiently low risk operation that it's fine to do post-logout?

Implementation-wise, I can imagine that watch history is something that might be updated from logs, and therefore there isn't an opportunity to renew any Auth tokens interactively.

[+] thehappypm|3 years ago|reply

My uneducated guess:

The app is in fact logged out, but it is still sending search logs back to YouTube using a device or session identifier. If you use YouTube logged out, for example, you’ll still have a history, which is tied to your session/device or something. There must be some system within YouTube that’s reconciling the TV’s logs back to your account, since it used to be your device.

[+] psychphysic|3 years ago|reply

Get him to log you out?

Maybe start watching videos on how to log out of that TVs YouTube app and also that weird softcore porn adjacent content. How to shuffle and trying on videos etc.

Hopefully the new user will decide to logout to get control of suggested content?

[+] mindcrash|3 years ago|reply

This should help:

"1. Open https://myaccount.google.com/device-activity on any device.

2. Select the device you’d like to sign out of.

3. Select Sign out.

You can also remove YouTube on TV access for a Google Account by opening https://myaccount.google.com/permissions > select YouTube on TV > Remove Access."

https://support.google.com/youtube/answer/7612539?hl=en

[+] theshrike79|3 years ago|reply

I'm guessing this smart TV is using some kind of weird nonstandard auth scheme that has fallen through the cracks.

Maybe it's storing some kind of non-expiring login token that isn't invalidated using the regular process.

[+] PeledYuval|3 years ago|reply

I've done both of these things - to no avail! This is really weird

[+] perryizgr8|3 years ago|reply

You should try to converse with them through the search history. Search for something like "Hello I am the previous owner of this TV. Please logout from Youtube.".

If the stranger is not a bad actor, they will definitely be happy to log out.

[+] tuckerman|3 years ago|reply

Could you try enabling advanced protection (if you are comfortable)? When I made that change I was forcefully logged out everywhere. (Disclaimer: used to work at Google, don't anymore, didn't work on accounts)

[+] hgsgm|3 years ago|reply

The bug is that logging out doesn't work for non-critical services.

[+] carmsden|3 years ago|reply

I've actually had this issue myself. It was a rogue chrome extension that was racking up massive viewing numbers on these videos. Disable all your extensions and see if your problem stops.

[+] wereallterrrist|3 years ago|reply

That's... interesting. I wonder if it's a hustle. Buy a Chrome extension, sell "YT views", use unsuspecting victims to siphon their YT cookie and rack up fake views. Maybe?

[+] smoothgrammer|3 years ago|reply

Try enabling advanced data protection. If they can still log in then you have found a huge vuln.

[+] codegeek|3 years ago|reply

"my old Smart TV that I gave away"

Gave away to whom ? Did you donate or give it to an actual person. Perhaps just ask them to log you out ? Or do you think they are a bad actor ?

[+] PeledYuval|3 years ago|reply

They're not a bad actor, I wouldn't be surprised if they have no idea they're even logged in. I actually just threw away my TV in the local drop off point. I thought it was broken beyond a point that was worth to repair but I'm guessing somebody more handy than me picked it up and DIYed it

[+] gremlinsinc|3 years ago|reply

Wife and I stayed at Ronald McDonald House when our kid needed some doctors appts up in Salt Lake 4 hours away. Someone's youtube account was logged in, and I'm not sure how long it was that way. They really liked 'dr nosleep' channel apparently.

[+] Genbox|3 years ago|reply

You mentioned you have MFA activated, so you should also remove any App passwords[1] you might have created for the TV.

[1]https://support.google.com/accounts/answer/185833?hl=en

[+] PeledYuval|3 years ago|reply

Thank you for the suggestion, I have already made sure that there are no App Passwords on my account

[+] japanman425|3 years ago|reply

Have you tried clearing your watch history and resetting your add ID?

Or disabling and then re enabling your watch history (perhaps leave it a day in between)

[+] robgibbons|3 years ago|reply

Just delete your YT account, and create a new one. From what I just read, it should be possible to delete YT without deleting your whole Google account.

[+] PeledYuval|3 years ago|reply

This is a solution of last resort that I still don't want to go for

[+] kirykl|3 years ago|reply

What brand TV ?

[+] PeledYuval|3 years ago|reply

I don't remember the model, but it was a 4yr old Samsung LED TV

[+] maerF0x0|3 years ago|reply

[deleted]

[+] filoleg|3 years ago|reply

Unless there is a kind of DID that also makes you speak arabic (which you normally don't know how to) and shows your logged-in TV that you sold being located in a distant random location, I seriously doubt your theory.