
Unlisted Links Aren’t Quite as Private as YouTube Promised - bookofjoe
https://www.psafe.com/en/blog/unlisted-links-arent-quite-private-youtube-promised/
======
userbinator
_Though YouTube claims that unlisted content can’t be accessed through an
Internet search, this isn’t quite true._

Of course. If someone shares the link elsewhere and _that_ page gets indexed
and crawled by a search engine, then it will obviously become accessible that
way.

 _Thanks to one YouTube flaw, unlisted videos become visible when placed in a
playlist._

Is that a flaw or "by design"? I could see this being useful for those who
want to only organise videos into playlists without having them "loose".

It seems the whole point of this feature is to prevent the videos from being
accessible from inside YouTube itself; whatever happens elsewhere is none of
their business, so it could be argued that it is working as intended.

~~~
Tehnix
It would be incredibly naive to think that google does no checks on the sites
they list in their searches. For one, they own Youtube and can directly look
up if the video is private, and secondly, aren’t there handling of this in
stuff like robots.txt?...

Edit: are we Reddit now, and downvotes are a sign of disagrement?

~~~
whatshisface
> _For one, they one Youtube and can directly look up if the video is
> private,_

If Google was found to be treating their own properties differently, there
would be an outcry that you couldn't believe.

~~~
lftl
Google supports the robots meta tag:

[https://developers.google.com/search/reference/robots_meta_t...](https://developers.google.com/search/reference/robots_meta_tag)

They could easily add a noindex meta tag to unlisted YT videos and then have
Google Search treat it like any other site.

~~~
pbhjpbhj
You could still find the unlisted videos on a page that links to them (such as
a playlist). Google couldn't delist pages that merely _link_ to noindex
content, in general, without allowing everyone who can control noindex tags
being able to delist any page that allows UGC with links.

Imagine if Google say "if it links to a non-public YT video we'll delist it",
that's just a weapon to get pages that take UGC delisted.

------
vermontdevil
My rule is if I don’t want video to be that public, I don’t post it on YouTube
even under private setting.

I use unlisted feature to reduce clutter on the channel while embedding them
elsewhere.

------
unreal37
The article is over sensationalizing something that really isn't that
shocking.

I thought they were going to index unlisted videos using brute force lookups
of the URL, or that an API was leaking. Now that would be Hacker News worthy.

~~~
userbinator
_I thought they were going to index unlisted videos using brute force lookups
of the URL_

If you're more interested in the format of YouTube video IDs, and whether it's
possible to bruteforce them, see the last post at

[https://webapps.stackexchange.com/questions/54443/format-
for...](https://webapps.stackexchange.com/questions/54443/format-for-id-of-
youtube-video)

tl;dr: they're 64-bit integers, base64 encoded, and randomly generated.

I haven't been able to find any clear statistics on how many videos it
contains, but it was slightly below 2^27 in 2008 (<80M) and based on the other
statistic that between 2^18 and 2^19 videos are uploaded every day; in 10
years that's <2^12 days, so there's probably <2^31 videos on YouTube now ---
roughly 2 billion. That means your chance of finding a valid video ID by
bruteforce random guessing is less than 1 in 2^33. You'd probably be
throttled/IP banned long before you got even a single valid ID.

~~~
londons_explore
They are _not_ randomly generated.

How could anyone ever prove they were random without reviewing the source
code?

Eg. It could be an auto-incrementing number encrypted with a reversible
cypher.

------
detaro
Does this find videos that haven't been linked anywhere and that somehow leak,
or only shared ones? If it's just the latter, the article is IMHO a tad
sensationalist.

~~~
mimimihaha
While working on a programming project for one of my classes I found an
unlisted youtube video in a Google search that demonstrated exactly how to
complete the project. I highly doubt the kid who uploaded it wanted anyone to
see. It consistently showed up in Google searches too and was uploaded the
same day. There is something definitely wrong with the way youtube protects
its unlisted videos. I really wouldn’t be surprised if the article wasn’t
exaggerating at all.

~~~
ItsMe000001
The use case I'm used to for unlisted videos is edX courses. The videos are
all hosted on Youtube and unlisted.

Example: [https://youtu.be/-RR1qt41oBg](https://youtu.be/-RR1qt41oBg)

I don't think they care how secure being "unlisted" is. I also don't think
that using free Youtube video hosting for secured(!) private videos is a sue
case anyone would reasonably expect Google to provide. I think it's a
convenience feature, not meant to let you skip on hosting costs for _actually_
(truly) private videos.

I'm happy to be corrected, as I said, I only know one use case and figured out
the second half that I just said on the fly, my quick thoughts given the
little I know.

 _EDIT:_ Seems to be pretty well known, I found several pages with this kind
of explanation: [https://www.pagecloud.com/blog/private-vs-unlisted-
youtube](https://www.pagecloud.com/blog/private-vs-unlisted-youtube)

> _YouTube’s UNLISTED video option gives users something between the Public
> and Private settings. Unlisted videos can be seen and shared by anyone with
> the video link, including those who do not have a Google Account._

Given that I found quite a few links with the same explanation, it seems that
most people understand what "unlisted" means very well, given that most of
those links I found were non-Google sources. So somebody wrote a blog post
because they misunderstood a Youtube feature?

~~~
pbhjpbhj
It's a pretty big search space but one presumably could brute force it and
create a site having links to all/lots of unlisted content.

~~~
ItsMe000001
Yes... and your point is? :-) Especially, what's the relation to my comment?
As I said, it is not _supposed_ to be "secret" pr "secure" at all.

~~~
pbhjpbhj
That was the entire point, it wasn't a contradiction, merely a reflection.
I've read the OP now, seems that one of the sites mentioned has done just
that.

------
bluedino
If you want private, mark the video as private.

