frontpage.
newsnewestaskshowjobs

Open Source @Github

fp.

Open in hackernews

SponsorBlock Critical Security Vulnerabilities

3•IDIRIS•5h ago
SponsorBlock had 7 critical vulnerabilities. Private data of 82k users was accessible.

Full details: https://paste.rs/jVLQb.txt

Data not leaked. Waiting for developer response.

Comments

mtmail•4h ago
Booo for not waiting for the developer's response. It hasn't even been 24 hours. It's not even July/4th in Europe yet.

> We have no malicious intentions. Our only goal was to identify these security issues and inform the developer so they can be fixed.

> conducted this research in good faith.

Posting it online the same day, then posting on HN to promote it isn't good faith.

   - Any user’s private profile could be retrieved, including:
     • Chosen Username
     • Total Segment Count
     • Minutes Saved for the community
     • View Count (how many times their segments helped others)
     • Reputation Score
     • VIP Status
     • Privacy Preferences
Anonymous user names and some counts.
KomoD•2h ago
> We attempted responsible disclosure by emailing dev@ajay.app multiple times on July 3 and 4, 2026, but received no response.

SponsorBlock is run by one guy. I consider this very irresponsible. You barely waited, and accessing (what you consider to be) the private data of 82k users is not at all necessary to prove a vulnerability. Luckily, most of these aren't really vulnerabilities.

But I'll go over the claims:

> This allowed us to enumerate and download almost the entire user database.

No. Sponsorblock says it has 13 million users, so 82k is not anywhere near "the entire user database".

> 8NpFUCMr2Gq4cy4UrUJPBfGBbRQudhJ8zzex8Gq44RYDywLt3UtbbfDap3KPDbcS

This is not a YouTube api key. It's an api key for a SponsorBlock API route that acts as a proxy to fetch information about a YouTube video.

> AIzaSyA8eiZmM1FaDVjRy-df2KTyQ_vz_yYM39w

This is an api key accessing some internal YouTube APIs. It's documented in many places and belongs to YouTube Android.

> PostgreSQL connection: postgresql://sponsorblock:pw@127.0.0.1:5432/sponsorTimes

You believe these are real creds?

> Admin password hash, global salt, Patreon integration keys, webhook secrets were exposed in repository files

From the CI and test configs...?

> High - Public Grafana Dashboard

Why do you consider this "High" or "Critical"?

> POST /api/skipSegments and POST /api/voteOnSponsorTime endpoints accepted submissions without proper user verification

This is intentional. The extension generates a UUID and uses that as a user ID.

> Batch queries revealed additional sensitive fields including userAgent.

What is sensitive about these fields? https://github.com/ajayyy/SponsorBlockServer/blob/1dd7a32092...

Sorry to say, but prompting some AI model and forwarding the results does not make you a security researcher.

ajayyy•6m ago
SponsorBlock dev here

I never got any emails... I checked spam

But either way, this is just slop, KomoD's analysis is very good.

Everything mentioned here is intentional, SponsorBlock data is public, database dumps are published for anyone to download, and the API keys mentioned are not secret.

There are even third party sites that allow you to browse this data built on the database dumps: https://sb.ltn.fi/

Is it very trusting? Yes, but SponsorBlock is built on faith in humanity, and it's survived almost 7 years so far, with only a small amount of spammer firefighting.

Ask HN: Is anyone experimenting with different ways of using LLMs for coding?

130•yehiaabdelm•19h ago•158 comments

A fleshed-out IPv5 proposal

4•bigcityslider•54m ago•2 comments

AI Is Boring

5•sverp•5h ago•5 comments

SponsorBlock Critical Security Vulnerabilities

3•IDIRIS•5h ago•3 comments

Tell HN: Fewer PRs done with proper prompting, review, and refinement wins

6•tomerbd•7h ago•3 comments

How many failed startups have you launched?

17•steelebillings•11h ago•10 comments

Cadreen – memory, governance, self-healing, and execution as one system

5•ope_john•4h ago•0 comments

Ask HN: Since when does Craigslist's front page have emojis?

38•argee•3d ago•33 comments

Ask HN: Who is hiring? (July 2026)

240•whoishiring•2d ago•296 comments

Well it's been 3 years of unemployment and $250k in debt

5•buffer_overlord•8h ago•2 comments

Ask HN: Who wants to be hired? (July 2026)

146•whoishiring•2d ago•429 comments

An AI Koan

2•rcanand2025•6h ago•0 comments

Ask HN: What did you fail at and what did you learn from it?

5•basilikum•4h ago•0 comments

Claude Fable is useless for bioinformaticians

4•iqbal1980•6h ago•5 comments

Ask HN: Why are so many "AI evangelists" posting such insufferable content?

55•seattle_spring•1d ago•32 comments

How do you test institutional (or algo) trades under real market conditions?

2•TradingReality•8h ago•0 comments

Ask HN: Procrastination with AI?

3•caprock•8h ago•1 comments

Getting Rid of Scrolling

2•matteosaporiti•9h ago•1 comments

Ask HN: Possible issue impacting AWS Cloudwatch logs availability?

2•merek•9h ago•0 comments

Ask HN: ChatGPT Go Plan

2•czeizel•5h ago•1 comments

Tell HN: Old Reddit now requires login

84•jay_kyburz•2d ago•17 comments

Tell HN: Installing Cursor on iOS irreversibly changes your privacy settings

246•zkldi•3d ago•34 comments

Ask HN: Once you make your money from vibe coding innumerable products, then?

3•keepamovin•23h ago•14 comments

Ask HN: How do you get your open-source product good traction?

5•akarshhegde18•23h ago•3 comments

Ask HN: Are any startups hiring front-end developers, or are they just using AI?

3•Kathan2651•7h ago•2 comments

Seattle Just Had an Earthquake

12•tobinfekkes•1d ago•8 comments

I'm opening VSCode less and less every day

20•othmanosx•2d ago•20 comments

Ask HN: How to Delete the HN Account?

2•_exvi•8h ago•4 comments

Burned out, how do I get out of the rut?

7•brandgefahr•1d ago•21 comments

AskHN: Using 'claude -p' for running Mr.Jassy - AWS butler agent

2•anoop_kumar•21h ago•0 comments