| ▲ | KomoD 9 hours ago | |
> We attempted responsible disclosure by emailing dev@ajay.app multiple times on July 3 and 4, 2026, but received no response. SponsorBlock is run by one guy. I consider this very irresponsible. You barely waited, and accessing (what you consider to be) the private data of 82k users is not at all necessary to prove a vulnerability. Luckily, most of these aren't really vulnerabilities. But I'll go over the claims: > This allowed us to enumerate and download almost the entire user database. No. Sponsorblock says it has 13 million users, so 82k is not anywhere near "the entire user database". > 8NpFUCMr2Gq4cy4UrUJPBfGBbRQudhJ8zzex8Gq44RYDywLt3UtbbfDap3KPDbcS This is not a YouTube api key. It's an api key for a SponsorBlock API route that acts as a proxy to fetch information about a YouTube video. > AIzaSyA8eiZmM1FaDVjRy-df2KTyQ_vz_yYM39w This is an api key accessing some internal YouTube APIs. It's documented in many places and belongs to YouTube Android. > PostgreSQL connection: postgresql://sponsorblock:pw@127.0.0.1:5432/sponsorTimes You believe these are real creds? > Admin password hash, global salt, Patreon integration keys, webhook secrets were exposed in repository files From the CI and test configs...? > High - Public Grafana Dashboard Why do you consider this "High" or "Critical"? > POST /api/skipSegments and POST /api/voteOnSponsorTime endpoints accepted submissions without proper user verification This is intentional. The extension generates a UUID and uses that as a user ID. > Batch queries revealed additional sensitive fields including userAgent. What is sensitive about these fields? https://github.com/ajayyy/SponsorBlockServer/blob/1dd7a32092... Sorry to say, but prompting some AI model and forwarding the results does not make you a security researcher. | ||