A stored prompt injection vulnerability in YouTube Studio's AI assistant, Ask Studio, allows malicious comments to leak creators' private video titles to external servers.
Security researcher Javoriuski disclosed a stored prompt injection vulnerability in Ask Studio, YouTube Studio's conversational AI assistant. By leaving a comment containing instructions and later editing it (which avoids notifying the creator), an attacker can inject malicious prompts that execute when the creator uses Ask Studio to summarize comments. Because Ask Studio has access to channel metadata, the researcher demonstrated that the injected prompt can instruct the AI to construct markdown links with private video titles embedded as URL parameters. If the creator clicks the link, their private video titles are exfiltrated to the attacker's server. Google dismissed the reports, classifying the vulnerability as a social engineering issue rather than a platform bug.
Classifying a lack of input sanitization and role boundaries in first-party AI products as a user-side social engineering issue highlights the ongoing struggle of tech giants to adapt traditional security frameworks to LLM-specific threats.
* Stored prompt injection is highly stealthy because attackers can edit comments post-publication to bypass creator notification triggers.
* The attack exploits the creator's trust in a first-party tool (YouTube Studio) rather than a stranger, rendering standard social engineering defenses ineffective.
* Dynamic rendering of attacker-controlled markdown links that integrate private metadata provides an effortless vector for data exfiltration.
* The remedy requires enforcing strict role boundaries between system instructions and user-generated data (e.g. comment content).
DISCOVERED
3h ago
2026-07-04
PUBLISHED
7h ago
2026-07-04
RELEVANCE
AUTHOR
javxfps