Remix.run Logo
KomoD 9 hours ago

> We attempted responsible disclosure by emailing dev@ajay.app multiple times on July 3 and 4, 2026, but received no response.

SponsorBlock is run by one guy. I consider this very irresponsible. You barely waited, and accessing (what you consider to be) the private data of 82k users is not at all necessary to prove a vulnerability. Luckily, most of these aren't really vulnerabilities.

But I'll go over the claims:

> This allowed us to enumerate and download almost the entire user database.

No. Sponsorblock says it has 13 million users, so 82k is not anywhere near "the entire user database".

> 8NpFUCMr2Gq4cy4UrUJPBfGBbRQudhJ8zzex8Gq44RYDywLt3UtbbfDap3KPDbcS

This is not a YouTube api key. It's an api key for a SponsorBlock API route that acts as a proxy to fetch information about a YouTube video.

> AIzaSyA8eiZmM1FaDVjRy-df2KTyQ_vz_yYM39w

This is an api key accessing some internal YouTube APIs. It's documented in many places and belongs to YouTube Android.

> PostgreSQL connection: postgresql://sponsorblock:pw@127.0.0.1:5432/sponsorTimes

You believe these are real creds?

> Admin password hash, global salt, Patreon integration keys, webhook secrets were exposed in repository files

From the CI and test configs...?

> High - Public Grafana Dashboard

Why do you consider this "High" or "Critical"?

> POST /api/skipSegments and POST /api/voteOnSponsorTime endpoints accepted submissions without proper user verification

This is intentional. The extension generates a UUID and uses that as a user ID.

> Batch queries revealed additional sensitive fields including userAgent.

What is sensitive about these fields? https://github.com/ajayyy/SponsorBlockServer/blob/1dd7a32092...

Sorry to say, but prompting some AI model and forwarding the results does not make you a security researcher.