A security researcher has demonstrated that YouTube Ask Studio AI can be manipulated into revealing private video titles through a prompt injection attack hidden inside YouTube comments. The technique allows attackers to influence the AI assistant’s responses without compromising YouTube itself, raising fresh concerns about how AI tools handle untrusted user content.

Google reviewed the report but concluded that the issue does not qualify as a security vulnerability because the attack depends on user interaction.

Researcher Shows How YouTube Ask Studio AI Follows Hidden Instructions

New York-based bug bounty hunter Javox, known online as @javoriuski, discovered that YouTube Ask Studio AI treats specially crafted comments as instructions instead of ordinary user feedback.

The AI assistant is built into YouTube Studio and helps creators analyze channel performance, summarize comments, and answer questions about their content.

Javox wondered what would happen if a comment contained instructions aimed at the AI rather than a normal message for the creator.

His testing showed that the assistant could follow those hidden commands.

Edited Comments Help Hide the Attack

The attack takes advantage of YouTube’s comment editing feature.

An attacker can first publish a harmless comment. After the creator has seen it, the attacker edits the comment and inserts hidden prompt injection instructions.

Creators are not notified when comments are edited. As a result, they may never notice the malicious change.

When the creator later asks YouTube Ask Studio AI to summarize comments, the assistant processes the edited version instead of the original.

In Javox’s proof of concept, the AI added attacker-controlled text that appeared to be an official notice from YouTube.

Because the response comes directly from the AI assistant, creators may be more likely to trust the message.

Prompt Injection Escalated to Private Video Titles

After proving that the AI would follow instructions embedded in comments, Javox tested whether it could access information available only to the channel owner.

Instead of asking the AI to display a fixed message, he instructed it to generate a hyperlink containing the title of one of the creator’s videos.

The malicious prompt directed the AI to replace a placeholder inside the URL with a video title from the creator’s own channel.

The assistant complied.

Rather than returning the placeholder text, YouTube Ask Studio AI inserted the title of an actual private video because the assistant has access to channel information that ordinary users cannot see.

Although the attack did not expose the videos themselves, private titles can reveal confidential projects, unreleased content, business plans, or personal information.

The attacker never needs to compromise YouTube’s systems. Instead, the attack abuses the trusted AI assistant to disclose information already available to it.

Google Declined to Treat the Issue as a Security Bug

Javox reported the vulnerability through Google’s bug bounty program.

Google responded that it would not track the issue as a security or abuse risk because the attack requires interaction from the victim.

According to the company’s response, the scenario depends on a creator choosing to use the AI assistant after an attacker edits a comment.

Javox disagrees with that assessment.

He argues that traditional social engineering relies on convincing users to trust an attacker. In this case, however, creators are interacting with YouTube’s own AI assistant, a tool they already have every reason to trust.

From his perspective, the AI itself becomes the vehicle for the attack.

Researcher Calls for Better Separation Between Data and Instructions

Javox believes the root problem is that YouTube Ask Studio AI treats user comments as both content and potential instructions.

He recommends handling comments as untrusted input so the assistant summarizes them without interpreting embedded prompts as commands.

Separating user-generated content from the AI’s internal instructions would significantly reduce the risk of prompt injection attacks.

Without that protection, anyone who comments on a creator’s videos could potentially influence what the AI tells the channel owner or persuade it to reveal information that was never intended to leave the account.

Prompt Injection Continues to Challenge AI Security

The findings add to growing evidence that prompt injection remains one of the biggest security challenges facing AI-powered assistants.

Earlier this year, researchers demonstrated similar attacks using hidden audio commands embedded in podcasts, YouTube videos, MP3 files, and Zoom calls. Those attacks attempted to manipulate AI voice assistants into performing unauthorized actions without the user’s knowledge.

The latest YouTube Ask Studio AI research shows that text-based prompt injection can also become a practical threat when AI systems fail to distinguish between trusted instructions and untrusted user content.


0 responses to “YouTube Ask Studio AI Trick Leaks Private Video Titles”