Tell HN: A stranger is using my YouTube account and Google can't log them out
Hi HN,
I believe Google has a grave authentication issue and I cannot burst the impenetrable tier-1 support wall to solve it. Hopefully I'm wrong, but for the life of me and the support reps I talked to, we cannot get a stranger logged out of my YouTube account.
The stranger is using my YouTube account through my old Smart TV that I gave away (my bad for not logging out, but there should be recourse for this).
Once I discovered this, I have changed passwords and revoked auth tokens on all relevant services (Spotify, Disney+, etc.). All services no longer show the stranger accessing them - with the exception of YouTube.
The actions I've taken multiple times (as instructed by Google support): - Changed my Google account's password - Revoked all "devices I trust" under my 2FA settings - Logged out of all devices in the "Your Devices" list
This did force me to log back in on my own devices (phone, TV), but I still see new videos that the stranger watched in my YouTube history. This has been happening for weeks.
Google support walked me through these steps and then gave generic "make sure your password are strong" article links, but of course, refuse to escalate this.
If you wish, you can view the support transcripts here (I admittedly got a little short during the 2nd conversation, which I regret): https://pastebin.com/GypwBPFj
---
Some details:
- The videos in my view history are in Arabic, so I know it's the stranger who watches them
- I know the stranger has access through my old TV because I saw their activity on all apps I had installed on my TV, and I saw my old TV signed in from a distant city under "Your Devices" list You shouldn't be telling this to tier-1 support, you should be reporting it through a contact that's labeled as specifically being for reporting security issues affecting Google login, ie https://bughunters.google.com/ . This is a significant security vulnerability because the existence of this TV implies the existence of an API somewhere which the TV has used, which can create revocation-resistant keys. (I ran into a similar issue with the Oculus/Meta Quest 2 and Facebook login tokens. I reported it as a vulnerability in the Facebook account system and it was fixed eventually.) Why shouldn't tier-1 support be able to forward this to someone who is the slightest bit technical, who can then make the call to report this to the relevant security team? There's no reason why tier-1 support has to be this irredeemably useless. Just put someone in the loop who knows when _not_ to blindly follow a script. It really isn't that hard. > There's no reason why tier-1 support has to be this irredeemably useless. There is. They're probably non-Google employees, leased en-masse from the cheapest support center Google could find. has vs would It is a deliberate choice to offer inferior support that isn’t able to deal with security issues. I agree with you. I tried really hard to get this escalated. Tier 1 seem to have absolutely no ability to escalate tickets. It's a cost-saving decision for sure, and it feels really bad to fall between the cracks due to it I submitted a similar issue regarding Google Drive folders. I don't think submitting this issue will earn OP any money as a "significant security vulnerability": In other words, Google will not consider this a significant security vulnerability. > While our highest-impact services (e.g., Google Wallet, Gmail) are designed to make cookies expire very shortly after the user logs out, we believe that most potential exploitation vectors for this behavior fall outside the security model of modern browsers and operating systems, and can't be meaningfully mitigated by any single website. > Check this link for more info: https://sites.google.com/site/bughunteruniversity/nonvuln/co... Note: The issue I submitted was related to revoking all sessions (authentication) as well. > I don't think submitting this issue will earn OP any money as a "significant security vulnerability" I don't think OP wants to claim a bounty (and anyway, probably doesn't have the details needed), OP just wants the issue fixed. Getting the issue looked at by someome who cares is more likely in the bounty program than through google customer support, because bug bounty triagers need to be empowered to communicate with people empowered to fix issues and google customer support isn't so empowered. In a good customer service organization, an issue like this should get escalated, but that's not the reality at google, and not at too many other places either. Thank you - I will be trying this Not really. It’s just a long lived refresh token. You can revoke the app it’s associated to but OP seems unaware. OP has listed the steps they took to revoke connected devices, what additional revocation are you referring to? Please, if I missed a method to revoke access - let me know how. I'm not being sarcastic, I think I've tried everything there is to try I think he's talking about https://support.google.com/accounts/answer/3466521?hl=en How then? I know this is going to sound ridiculous, but go to this random support forum and try to get ahold of Didi; they seem to have some kind of "in" with the account hijacking team and can get your account moved into a different kind of support queue. I do find it ridiculous that getting Google support has gotten to a point where people need to post for help on a forum in which they are hinted to go to another community and look for a person who has “in” with a team. I really should move off Gmail. I made the switch as my new year's resolution after a Google support agent gave my info to my wife without my permission. They didn't know it was my wife. Google refused to make it right. I refused to continue with them. What a breath of fresh air. I am with Fastmail now. > I really should move off Gmail. Just curious, what's the line, if not this? Hypothetically of course, I'm okay with it if you're responding with "I'd rather not say" or "I don't know" I’m not sure what you mean by “what’s the line” but if it means “what’s the alternative”: First start using personal domain so that when I switch away I can do it without having to update all contact details. I’ve already been doing this. Then after some research, switch to a paid email provider. I’m thinking of ProtonMail or Zoho at the moment but I need to look into it more. It’s going to be painful because I used to use Google OAuth whenever it was available in the past. But I would like to start having my eggs in different baskets. EDIT: re: "whats the line" There is no concrete line. It's mostly me getting old enough to worry about not losing access to a lot of services on algorithms' whim and I keep seeing these posts on HN (Google or not). I know the chance of it happening is slim, but I think the damage would be big enough to diversify away. "What's the line" as in if you were to draw a line in the sand - what would be "enough" to put you over said hypothetical line of leaving GMail? I think OP may be implying that this should be "enough", but I don't want to make any assumptions. One thing to note about Proton is if you want to do any shared addresses, say for family use cases, they're missing common features like aliases because of the implied encryption. I tried to switch to it a few years ago and it didn't work for all of the use cases I needed. I do pay for an account with them for other use cases and they're great otherwise. I also tried Zoho a long time ago (>8 years now) and it wasn't good at the time. I've been using FastMail for more than 7 years now and moved all my Gmail domains over about 2 years after that. I have nothing but great things to say about them and aren't affiliated in any way other than being a customer. Ah thanks for that. That makes sense! I'll also check out FastMail. Thanks for the recommendation :) Seconding Fastmail. Their great advantage is that they make money by providing email service and their focus is correspondingly different from the Borg. Thanks! This does sound ridiculous, but maybe it will work? Worth a shot In Google's OAuth 2.0 for TV and Limited-Input Device Applications page, https://developers.google.com/identity/protocols/oauth2/limi..., it says: "Note that there are limits on the number of refresh tokens that will be issued; one limit per client/user combination, and another per user across all clients. You should save refresh tokens in long-term storage and continue to use them as long as they remain valid. If your application requests too many refresh tokens, it may run into these limits, in which case older refresh tokens will stop working." Maybe you could try issuing thousands of OAuth refresh tokens (or more) for your account, in the hope that it will hit some internal limit and automatically revoke the one stored inside that Smart TV? I think the risk of getting banned due to misuse is not worth it... But I like your hacker mentality! Some services still allow the less sensitive account actions after logging out. Examples of this are eBay (can still edit cart) and AliExpress (can still see unread messages count). Perhaps YouTube has decided that appending to the watch history is a sufficiently low risk operation that it's fine to do post-logout? Implementation-wise, I can imagine that watch history is something that might be updated from logs, and therefore there isn't an opportunity to renew any Auth tokens interactively. My uneducated guess: The app is in fact logged out, but it is still sending search logs back to YouTube using a device or session identifier. If you use YouTube logged out, for example, you’ll still have a history, which is tied to your session/device or something. There must be some system within YouTube that’s reconciling the TV’s logs back to your account, since it used to be your device. Get him to log you out? Maybe start watching videos on how to log out of that TVs YouTube app and also that weird softcore porn adjacent content. How to shuffle and trying on videos etc. Hopefully the new user will decide to logout to get control of suggested content? This should help: "1. Open https://myaccount.google.com/device-activity on any device. 2. Select the device you’d like to sign out of. 3. Select Sign out. You can also remove YouTube on TV access for a Google Account by opening https://myaccount.google.com/permissions > select YouTube on TV > Remove Access." I'm guessing this smart TV is using some kind of weird nonstandard auth scheme that has fallen through the cracks. Maybe it's storing some kind of non-expiring login token that isn't invalidated using the regular process. I've done both of these things - to no avail! This is really weird Did you already mention the brand/model/year of the smart TV or the OS/Platform/version etc Maybe that might narrow down some search results to p3culiar issues seen only on that firmware or app version? Just maybe You should try to converse with them through the search history. Search for something like "Hello I am the previous owner of this TV. Please logout from Youtube.". If the stranger is not a bad actor, they will definitely be happy to log out. Could you try enabling advanced protection (if you are comfortable)? When I made that change I was forcefully logged out everywhere. (Disclaimer: used to work at Google, don't anymore, didn't work on accounts) The bug is that logging out doesn't work for non-critical services. I've actually had this issue myself. It was a rogue chrome extension that was racking up massive viewing numbers on these videos. Disable all your extensions and see if your problem stops. That's... interesting. I wonder if it's a hustle. Buy a Chrome extension, sell "YT views", use unsuspecting victims to siphon their YT cookie and rack up fake views. Maybe? Try enabling advanced data protection. If they can still log in then you have found a huge vuln. "my old Smart TV that I gave away" Gave away to whom ? Did you donate or give it to an actual person. Perhaps just ask them to log you out ? Or do you think they are a bad actor ? They're not a bad actor, I wouldn't be surprised if they have no idea they're even logged in.
I actually just threw away my TV in the local drop off point. I thought it was broken beyond a point that was worth to repair but I'm guessing somebody more handy than me picked it up and DIYed it Sorry to hear about your predicament (best of luck) This scenario illustrates why “smart” TVs aren’t such a great idea (you think it’s dead and can’t log out, but someone else eventually fixes it or uses its parts) Wife and I stayed at Ronald McDonald House when our kid needed some doctors appts up in Salt Lake 4 hours away. Someone's youtube account was logged in, and I'm not sure how long it was that way. They really liked 'dr nosleep' channel apparently. You mentioned you have MFA activated, so you should also remove any App passwords[1] you might have created for the TV. Thank you for the suggestion, I have already made sure that there are no App Passwords on my account Have you tried clearing your watch history and resetting your add ID? Or disabling and then re enabling your watch history (perhaps leave it a day in between) Just delete your YT account, and create a new one. From what I just read, it should be possible to delete YT without deleting your whole Google account. This is a solution of last resort that I still don't want to go for Why? You can just re subscribe to everything. Your YouTube history is more valuable to Google than to you. "You can just" That's never a good argument for a real security issue. People should be able to control their security profile outright. watched videos no longer watched as watched, playlists gone, "algorithm" reset, having to resub to everything, just a big pain and no guarantee it would even solve the problem What brand TV ? I don't remember the model, but it was a 4yr old Samsung LED TV