Bug Bounty Writeups

Hey All! Welcome back to another blog post of a pretty interesting finding I submitted to Google. Since the last post got such good traction I will probably be posting another one this weekend or next week. Not sure what that type of write up will entail.  If you read the last post you probably saw how you could utilize a API in Google Classroom to leak other users Google Drive files. Google gave a nice bounty for it and fixed it very quickly. The traction that post received was amazing as well so thank you for that.  In this post I am going to show you a very interesting finding which could have resulted in you being able to delete another persons YouTube videos and even risk their entire channel getting deleted.  So lets begin! First a little bit of background on YouTube and copyright disputes.  I think most here know YouTube has a copyright process where if you upload a video using another persons music for example a content ID claim is put against your video. Now these are generall

 Hey All! Long time no see. I decided to make some new blog posts about some of my top Google findings I have had over the years. I am hoping to write up more of these as kind of a continuous series over the next few weeks so stay tuned. In this new post I am writing up an interesting find I had a few years ago that allowed you to gain access to another users Google Drive files. For those that do not know Google Drive is a file sharing service where you can upload word docs, PDF files, or any file for that matter and share it with other users. If the file is private or not meant to be shared with you then you would receive an access denied error.  Today I am going to show you how it was possible to gain access to someone else's Google Drive files without being granted access to it :).   Before I begin I do want to say the issue is fixed and Google VRP gave a nice bounty for it :D. POC: So before I begin going over this POC I need to explain a little back ground about Google Classro