Full details: https://paste.rs/jVLQb.txt
Data not leaked. Waiting for developer response.
Full details: https://paste.rs/jVLQb.txt
Data not leaked. Waiting for developer response.
SponsorBlock is run by one guy. I consider this very irresponsible. You barely waited, and accessing (what you consider to be) the private data of 82k users is not at all necessary to prove a vulnerability. Luckily, most of these aren't really vulnerabilities.
But I'll go over the claims:
> This allowed us to enumerate and download almost the entire user database.
No. Sponsorblock says it has 13 million users, so 82k is not anywhere near "the entire user database".
> 8NpFUCMr2Gq4cy4UrUJPBfGBbRQudhJ8zzex8Gq44RYDywLt3UtbbfDap3KPDbcS
This is not a YouTube api key. It's an api key for a SponsorBlock API route that acts as a proxy to fetch information about a YouTube video.
> AIzaSyA8eiZmM1FaDVjRy-df2KTyQ_vz_yYM39w
This is an api key accessing some internal YouTube APIs. It's documented in many places and belongs to YouTube Android.
> PostgreSQL connection: postgresql://sponsorblock:pw@127.0.0.1:5432/sponsorTimes
You believe these are real creds?
> Admin password hash, global salt, Patreon integration keys, webhook secrets were exposed in repository files
From the CI and test configs...?
> High - Public Grafana Dashboard
Why do you consider this "High" or "Critical"?
> POST /api/skipSegments and POST /api/voteOnSponsorTime endpoints accepted submissions without proper user verification
This is intentional. The extension generates a UUID and uses that as a user ID.
> Batch queries revealed additional sensitive fields including userAgent.
What is sensitive about these fields? https://github.com/ajayyy/SponsorBlockServer/blob/1dd7a32092...
Sorry to say, but prompting some AI model and forwarding the results does not make you a security researcher.
I never got any emails... I checked spam
But either way, this is just slop, KomoD's analysis is very good.
Everything mentioned here is intentional, SponsorBlock data is public, database dumps are published for anyone to download, and the API keys mentioned are not secret.
There are even third party sites that allow you to browse this data built on the database dumps: https://sb.ltn.fi/
Is it very trusting? Yes, but SponsorBlock is built on faith in humanity, and it's survived almost 7 years so far, with only a small amount of spammer firefighting.
mtmail•4h ago
> We have no malicious intentions. Our only goal was to identify these security issues and inform the developer so they can be fixed.
> conducted this research in good faith.
Posting it online the same day, then posting on HN to promote it isn't good faith.
Anonymous user names and some counts.