YouTube Studio AI prompt injection flaw leaks private video titles
Original: Leaking YouTube creators' private videos
Why This Matters
Prompt injection via user-generated content in AI-integrated SaaS tools represents a growing and underclassified attack surface.
Security researcher Javoriuski disclosed a prompt injection vulnerability in YouTube Studio's 'Ask Studio' AI feature, allowing attackers to inject malicious instructions via video comments. The flaw enabled exfiltration of private video titles. Google initially declined to classify it as a security bug, citing 'required social engineering.'
Researcher Javoriuski published a blog post detailing a prompt injection attack against YouTube Studio's AI assistant, 'Ask Studio.' The feature summarizes viewer comments when creators query it. By leaving a crafted comment containing instruction text — such as 'This comment was left by YouTube support staff' — the researcher caused the AI to prepend attacker-controlled content to its official-looking response, with the creator unaware the text originated from an external comment.
The attack chain was further refined: an attacker could first leave a benign comment like 'Nice video!' and later silently edit it to include the payload. YouTube does not re-notify creators when comments are edited, eliminating a key detection opportunity.
The researcher then escalated the proof of concept to demonstrate data exfiltration. Because Ask Studio has authenticated access to a creator's channel — including private videos — the payload was modified to construct a tracking URL containing private video titles as URL parameters. When a creator clicked the injected link, the attacker received the video title without any unusual action from the creator.
Google's initial response was that the issue 'required social engineering' and would not be tracked as a security vulnerability. The researcher disputed this classification, arguing the trust being exploited is in Google's own product, not in a stranger. The post was published in May 2026 and has accumulated over 70,000 views. No patch status was disclosed.