He was thus not able to renew his domain names. I tried to acquire them recently so that I could preserve them and fix the images on his blog which have broken, and then perhaps transfer it to his family at no cost.
After much searching, I found the company controlling them. However, they wanted a large amount of money (if I remember correctly, ~$12,000, or ~1,332,342 JPY) for the domain hagex.com, which I found distasteful (and which I cannot spend). This price was given after the background of my request was explained, so it was not made in ignorance of Hagex's murder.
I have created a Discord. Information and announcements will be provided here in English and, if someone would like to translate, Japanese. There is a sense of worry about not being able to get in contact, so please feel free to join this place for the interim. It is already organized.
I am developing a successor for Hatena Haiku. It will be designed to be comfortable for Hatena users, and integrate into Hatena services as much as possible. I will post further details on this blog. I thank you for your patience.
I was recently uploading an unlisted video to YouTube to demonstrate an XSS vulnerability I stumbled across which I was responsibly disclosing. Part of this involved showing the URL of the script which had been run. After uploading it to YouTube and submitting the vulnerability disclosure, I decided to double-check that nobody had visited the page I was testing on before I had removed the link. As it turns out, somebody had: YouTube.
I was rather alarmed to see this, as I didn't imagine the links were up long enough to be crawled by Google. It was then that I realized that during the video, those URLs were visible in the address bar. It seemed that YouTube had run OCR (optical character recognition) across my entire video and decided to crawl the links within. But how could I be sure that this was not just a mistake on my part?
Time for an Experiment
I recorded a new video of me accessing a URL that does not exist for the very first time.
Here is the video that I uploaded:
I started another screen recording of me uploading the video, and watching the access logs. A few minutes later, Google took the bait, and sent two requests to the URL:
Hook, line, and sinker! I recorded me uploading the video and watching my access logs live (the accesses are around the 5:50 mark):
Why is this concerning?
The purpose for which I uploaded the video was to report a vulnerability. I uploaded it unlisted, so far all intents and purposes, it was meant to remain private. However, our friend Google-Youtube-Links scanned it for an unknown purpose and sent several requests to that URL. A second test as a fully private (not just unlisted) video revealed the same result.
By uploading the videos as unlisted or private, I have the expectation that nobody will see the video or the contained within except for me, or for the people who I explicitly share the links with.
Let's propose a scenario which is in a similar realm to what I was doing:
A security researcher has found a critical vulnerability in a site, and has crafted a URL that will trigger it, causing harmful effects to the website. (e.g a SQL injection vulnerability that will drop the database tables).
During the video, s/he makes mention that they will not visit the URL as it would cause trouble, but it is displayed so that the company they are responsibly disclosing to can remedy it. They upload it as unlisted to YouTube and submit their report. Five minutes later, Google-Youtube-Links comes along and sends two requests to the URL, triggering the SQL injection and rendering the site broken.
The Illusion of Privacy
Here is Google's explanation of privacy settings:
What this does not include, however, is any mention that your video will be scanned for anything resembling URLs, and have these crawled.
What Google has to say about it
So what does Google have to say about this practice? Actually, nothing at all. Searching for the user-agent gives no relevant results save for one: a locked thread from a curious webmaster with no answer, back on March 27th, 2018. The thread was not resolved.
This means that we are left with no explanation of why this is occuring, or disclosure that content uploaded as private to YouTube will be scanned with OCR and have any links within crawled by Google.
Honestly, I find this rather unsettling - especially for using private or unlisted YouTube videos as a way to quickly upload a video to disclose a vulnerability. I'm sure you can think of other scenarios in which this would be undesired, especially as we don't know why it's taking place or where those URLs will end up.
Let me know what you think of this development.
Questions or concerns?
If you have any questions or concerns, feel free to leave them below, or reach out to me at firstname.lastname@example.org. If you are a Hatena user, feel free to leave a star!