A prompt injection vulnerability in YouTube's AI comment summarization tool allows attackers to leak the titles of a creator's private videos by leaving a crafted comment that injects a malicious prompt. This vulnerability compromises the privacy of YouTube creators by exposing their private video titles, and highlights the broader security risks of integrating large language models into user-facing applications without adequate safeguards against prompt injection. The attack works when a creator opens YouTube Studio's comment tab and clicks a suggested AI prompt; the injected comment then forces the model to include private video titles in its response. Community testing shows mixed results, with some users unable to reproduce the issue, indicating possible partial mitigations by YouTube.
Background
Prompt injection is a security vulnerability where attackers craft inputs that trick AI language models into overriding their intended instructions and following attacker commands instead. YouTube's AI comment tool uses large language models to summarize comments for creators, but if a comment contains a carefully crafted instruction, the model may execute it, revealing sensitive data such as private video titles.
References
Discussion
The community praised the article for its clear and factual exposition. A former Google engineer provided nuanced context on why YouTube might not treat this as a high-priority bug. Some users reported being unable to reproduce the attack, while others called for stricter role boundaries in AI model prompts.