Tell HN: A stranger is using my YouTube account and Google can't log them out
I believe Google has a grave authentication issue and I cannot burst the impenetrable tier-1 support wall to solve it. Hopefully I'm wrong, but for the life of me and the support reps I talked to, we cannot get a stranger logged out of my YouTube account.
The stranger is using my YouTube account through my old Smart TV that I gave away (my bad for not logging out, but there should be recourse for this).
Once I discovered this, I have changed passwords and revoked auth tokens on all relevant services (Spotify, Disney+, etc.). All services no longer show the stranger accessing them - with the exception of YouTube.
The actions I've taken multiple times (as instructed by Google support): - Changed my Google account's password - Revoked all "devices I trust" under my 2FA settings - Logged out of all devices in the "Your Devices" list
This did force me to log back in on my own devices (phone, TV), but I still see new videos that the stranger watched in my YouTube history. This has been happening for weeks.
Google support walked me through these steps and then gave generic "make sure your password are strong" article links, but of course, refuse to escalate this.
If you wish, you can view the support transcripts here (I admittedly got a little short during the 2nd conversation, which I regret): https://pastebin.com/GypwBPFj
---
Some details:
- The videos in my view history are in Arabic, so I know it's the stranger who watches them
- I know the stranger has access through my old TV because I saw their activity on all apps I had installed on my TV, and I saw my old TV signed in from a distant city under "Your Devices" list
59 comments
[ 3.2 ms ] story [ 122 ms ] threadhttps://support.google.com/youtube/community
I really should move off Gmail.
Just curious, what's the line, if not this? Hypothetically of course, I'm okay with it if you're responding with "I'd rather not say" or "I don't know"
First start using personal domain so that when I switch away I can do it without having to update all contact details. I’ve already been doing this.
Then after some research, switch to a paid email provider. I’m thinking of ProtonMail or Zoho at the moment but I need to look into it more.
It’s going to be painful because I used to use Google OAuth whenever it was available in the past. But I would like to start having my eggs in different baskets.
EDIT: re: "whats the line"
There is no concrete line. It's mostly me getting old enough to worry about not losing access to a lot of services on algorithms' whim and I keep seeing these posts on HN (Google or not). I know the chance of it happening is slim, but I think the damage would be big enough to diversify away.
One thing to note about Proton is if you want to do any shared addresses, say for family use cases, they're missing common features like aliases because of the implied encryption. I tried to switch to it a few years ago and it didn't work for all of the use cases I needed. I do pay for an account with them for other use cases and they're great otherwise. I also tried Zoho a long time ago (>8 years now) and it wasn't good at the time. I've been using FastMail for more than 7 years now and moved all my Gmail domains over about 2 years after that. I have nothing but great things to say about them and aren't affiliated in any way other than being a customer.
Google refused to make it right. I refused to continue with them.
What a breath of fresh air. I am with Fastmail now.
(I ran into a similar issue with the Oculus/Meta Quest 2 and Facebook login tokens. I reported it as a vulnerability in the Facebook account system and it was fixed eventually.)
There's no reason why tier-1 support has to be this irredeemably useless. Just put someone in the loop who knows when _not_ to blindly follow a script. It really isn't that hard.
There is. They're probably non-Google employees, leased en-masse from the cheapest support center Google could find.
It is a deliberate choice to offer inferior support that isn’t able to deal with security issues.
> While our highest-impact services (e.g., Google Wallet, Gmail) are designed to make cookies expire very shortly after the user logs out, we believe that most potential exploitation vectors for this behavior fall outside the security model of modern browsers and operating systems, and can't be meaningfully mitigated by any single website.
> Check this link for more info: https://sites.google.com/site/bughunteruniversity/nonvuln/co...
Note: The issue I submitted was related to revoking all sessions (authentication) as well.
I don't think OP wants to claim a bounty (and anyway, probably doesn't have the details needed), OP just wants the issue fixed. Getting the issue looked at by someome who cares is more likely in the bounty program than through google customer support, because bug bounty triagers need to be empowered to communicate with people empowered to fix issues and google customer support isn't so empowered.
In a good customer service organization, an issue like this should get escalated, but that's not the reality at google, and not at too many other places either.
"Note that there are limits on the number of refresh tokens that will be issued; one limit per client/user combination, and another per user across all clients. You should save refresh tokens in long-term storage and continue to use them as long as they remain valid. If your application requests too many refresh tokens, it may run into these limits, in which case older refresh tokens will stop working."
Maybe you could try issuing thousands of OAuth refresh tokens (or more) for your account, in the hope that it will hit some internal limit and automatically revoke the one stored inside that Smart TV?
"1. Open https://myaccount.google.com/device-activity on any device.
2. Select the device you’d like to sign out of.
3. Select Sign out.
You can also remove YouTube on TV access for a Google Account by opening https://myaccount.google.com/permissions > select YouTube on TV > Remove Access."
https://support.google.com/youtube/answer/7612539?hl=en
Maybe it's storing some kind of non-expiring login token that isn't invalidated using the regular process.
Maybe that might narrow down some search results to p3culiar issues seen only on that firmware or app version? Just maybe
Maybe start watching videos on how to log out of that TVs YouTube app and also that weird softcore porn adjacent content. How to shuffle and trying on videos etc.
Hopefully the new user will decide to logout to get control of suggested content?
[1]https://support.google.com/accounts/answer/185833?hl=en
Gave away to whom ? Did you donate or give it to an actual person. Perhaps just ask them to log you out ? Or do you think they are a bad actor ?
This scenario illustrates why “smart” TVs aren’t such a great idea (you think it’s dead and can’t log out, but someone else eventually fixes it or uses its parts)
That's never a good argument for a real security issue. People should be able to control their security profile outright.
Examples of this are eBay (can still edit cart) and AliExpress (can still see unread messages count).
Perhaps YouTube has decided that appending to the watch history is a sufficiently low risk operation that it's fine to do post-logout?
Implementation-wise, I can imagine that watch history is something that might be updated from logs, and therefore there isn't an opportunity to renew any Auth tokens interactively.
The app is in fact logged out, but it is still sending search logs back to YouTube using a device or session identifier. If you use YouTube logged out, for example, you’ll still have a history, which is tied to your session/device or something. There must be some system within YouTube that’s reconciling the TV’s logs back to your account, since it used to be your device.
If the stranger is not a bad actor, they will definitely be happy to log out.
Or disabling and then re enabling your watch history (perhaps leave it a day in between)