YouTube's AI can be tricked into leaking private video titles, researcher says
Security researcher Javox says Google rejected the report as social engineering, exposing a policy gap around AI-driven creator tools.
By Ryan Merket · Published
Why it matters
YouTube is pushing Ask Studio as a trusted creator assistant while its own AI security guidance treats indirect prompt injection and data exfiltration as real risks.

Javox (@javoriuski), a New York-based security researcher, published a May write-up describing how YouTube's Ask Studio AI assistant could be manipulated through a normal video comment to show attacker-controlled text to a creator and, in an escalated proof of concept, leak the title of a private video through a link click.
The report matters because Ask Studio is not an experimental chatbot sitting outside YouTube. It is built into YouTube Studio, where creators already manage comments, analytics, drafts and unpublished uploads. YouTube's own help page says Ask Studio helps creators summarize comments and feedback, understand channel stats, brainstorm video ideas and use suggested prompts. The same page says the tool draws on information from a creator's channel, YouTube and the web.
Javox's test used that design against itself. He said he left a comment on a video containing instructions for the AI assistant rather than ordinary viewer feedback. When the creator asked Ask Studio about comments, the assistant treated the comment as something to follow and placed an attacker-chosen notice at the top of the response. In the attack chain described in the post, the creator did not need to see the original malicious comment. Javox said an attacker could leave an ordinary comment first, edit it later and wait for the creator to use Ask Studio's comment-summarization workflow.
YouTube's product design made the path shorter. Ask Studio supports suggested prompts, and YouTube's help center tells creators they can select one of those prompts rather than type their own. Javox said one such prompt fed comments into the assistant when clicked from YouTube Studio's comments area. His described chain was simple: a commenter plants the payload, the creator opens Studio, the creator clicks a YouTube-supplied AI prompt, and the AI response carries the injected content.
The private-video escalation
The initial proof of concept looked like a trust and UI problem. The second version turned it into a data leak claim.
Javox said he found that Ask Studio, as an authenticated creator tool, could see channel videos, including private videos. That access is consistent with YouTube's own documentation, which says Ask Studio can provide feedback on draft, private or unlisted videos selected from a creator's channel.
He then modified the injected comment so the AI would generate a markdown link to an attacker-controlled site and replace a placeholder in the URL with a video title from the channel. If the creator clicked the link, the request to the attacker's server would include the private title as a URL parameter, according to the write-up.
That is a narrow exploit path. It still requires a creator to click a link displayed in the AI response. The difference from ordinary phishing is where the message appears. Javox's argument is that the creator is interacting with YouTube's own interface, following YouTube's own suggested AI workflow, and receiving a response from a tool Google integrated into the creator dashboard.
YouTube's own Ask Studio help page contains caveats. It says Ask Studio responses do not reflect YouTube's views, quality and accuracy may vary, and the tool is not YouTube support. It also says creators should not rely on it for professional advice. Those warnings do not directly address the bug class Javox described: hostile user-generated content being ingested by an assistant that has access to private channel context and can emit clickable links.
Google classified it as social engineering
Javox said he reported the issue to Google and was told it was not a security bug because it required social engineering. After he escalated the proof of concept to include private video title leakage, he said the response was still that it was not a bug.
Google's public bug bounty rules give both sides of that dispute something to point at. Google's general Vulnerability Reward Program rules say design or implementation issues that substantially affect the confidentiality or integrity of user data are likely to be in scope. They also say reports need a valid attack scenario. Separately, Google's AI vulnerability program has drawn a line between content-level issues such as prompt injections and security-impacting AI exploits such as unauthorized actions or data exfiltration.
Google's own security team has also described indirect prompt injection as a serious AI security problem. In an April 2026 Google Security Blog post, Google called indirect prompt injection a top priority for the security community and described it as a technique where an AI system processes content such as a website, email or document containing malicious instructions. The post said the AI may silently follow the attacker's commands instead of the user's original intent.
That is close to the pattern Javox described, except the untrusted content was a YouTube comment and the affected user was a creator inside YouTube Studio. Google's June 2025 security guidance on mitigating prompt injection attacks also lists markdown sanitization, suspicious URL redaction, user confirmation and security notifications as part of a layered defense strategy for Gemini. Javox's proof of concept turns on the assistant rendering an attacker-shaped link that carries private channel data.
Ask Studio is being pushed as a channel companion
The timing is awkward for YouTube because the company has been promoting Ask Studio directly to creators. In a June 30 YouTube Blog guide, YouTube described Ask Studio as an AI-powered partner for creators and said it understands a creator's specific channel and brand. The post also told creators that their channel data is private and secure, visible only to them.
That promise is the pressure point. Ask Studio's value comes from its privileged context: analytics, comments, audience signals, unpublished work and channel history. The more YouTube encourages creators to ask broad questions in natural language, the more Ask Studio has to ingest messy data from viewers and combine it with private creator context. Prompt injection attacks exploit that merge.
Javox's disclosure does not show full private video access, account takeover or automated exfiltration without user interaction. It shows a smaller but still important failure mode: a viewer comment can shape the output of an assistant that creators are likely to treat as YouTube's own analysis. For a creator planning a product launch, a brand campaign, a music release or a personal video, even a private title can reveal timing and strategy.
The unresolved issue is not whether every prompt injection should earn a bounty. Google has reasons to reject reports that amount to model behavior complaints or ordinary phishing. The sharper question is where Google draws the boundary when an AI feature with private account context turns untrusted user content into an official-looking interface response and a clickable exfiltration path.
Javox's post puts YouTube's creator AI push on that line. Ask Studio is useful because it reads what creators do not have time to read. That same convenience gives attackers a cheap place to plant instructions and wait for YouTube's own assistant to repeat them.