Hacker News

SponsorBlock Critical Security Vulnerabilities

3 points by IDIRIS ago | 3 comments
SponsorBlock had 7 critical vulnerabilities. Private data of 82k users was accessible.

Full details: https://paste.rs/jVLQb.txt

Data not leaked. Waiting for developer response.

mtmail |next [-]

Booo for not waiting for the developer's response. It hasn't even been 24 hours. It's not even July/4th in Europe yet.

> We have no malicious intentions. Our only goal was to identify these security issues and inform the developer so they can be fixed.

> conducted this research in good faith.

Posting it online the same day, then posting on HN to promote it isn't good faith.

   - Any user’s private profile could be retrieved, including:
     • Chosen Username
     • Total Segment Count
     • Minutes Saved for the community
     • View Count (how many times their segments helped others)
     • Reputation Score
     • VIP Status
     • Privacy Preferences
Anonymous user names and some counts.

KomoD |next |previous [-]

> We attempted responsible disclosure by emailing dev@ajay.app multiple times on July 3 and 4, 2026, but received no response.

SponsorBlock is run by one guy. I consider this very irresponsible. You barely waited, and accessing (what you consider to be) the private data of 82k users is not at all necessary to prove a vulnerability. Luckily, most of these aren't really vulnerabilities.

But I'll go over the claims:

> This allowed us to enumerate and download almost the entire user database.

No. Sponsorblock says it has 13 million users, so 82k is not anywhere near "the entire user database".

> 8NpFUCMr2Gq4cy4UrUJPBfGBbRQudhJ8zzex8Gq44RYDywLt3UtbbfDap3KPDbcS

This is not a YouTube api key. It's an api key for a SponsorBlock API route that acts as a proxy to fetch information about a YouTube video.

> AIzaSyA8eiZmM1FaDVjRy-df2KTyQ_vz_yYM39w

This is an api key accessing some internal YouTube APIs. It's documented in many places and belongs to YouTube Android.

> PostgreSQL connection: postgresql://sponsorblock:pw@127.0.0.1:5432/sponsorTimes

You believe these are real creds?

> Admin password hash, global salt, Patreon integration keys, webhook secrets were exposed in repository files

From the CI and test configs...?

> High - Public Grafana Dashboard

Why do you consider this "High" or "Critical"?

> POST /api/skipSegments and POST /api/voteOnSponsorTime endpoints accepted submissions without proper user verification

This is intentional. The extension generates a UUID and uses that as a user ID.

> Batch queries revealed additional sensitive fields including userAgent.

What is sensitive about these fields? https://github.com/ajayyy/SponsorBlockServer/blob/1dd7a32092...

Sorry to say, but prompting some AI model and forwarding the results does not make you a security researcher.

ajayyy |previous [-]

SponsorBlock dev here

I never got any emails... I checked spam

But either way, this is just slop, KomoD's analysis is very good.

Everything mentioned here is intentional, SponsorBlock data is public, database dumps are published for anyone to download, and the API keys mentioned are not secret.

There are even third party sites that allow you to browse this data built on the database dumps: https://sb.ltn.fi/

Is it very trusting? Yes, but SponsorBlock is built on faith in humanity, and it's survived almost 7 years so far, with only a small amount of spammer firefighting.