[phkahler]

>> This hack is great because the dev didn't have to read assembly code or parse WireShark logs or deploy any kind of cracking software.

Monitoring network traffic (http requests) and logs is similar to any other logged data or reading disassembled code. Patching in a different video ID is sort of like patching ASM to implement some hack. The automation created at the end to extract and assemble the video was basically creation of cracking software for this particular exploit.

What one person calls arcane knowledge is another's everyday tools. This is a case where I see obscure technical stuff, but web devs see regular stuff ;-)

[SoSoRoCoCo]

> What one person calls arcane knowledge is another's everyday tools.

Point taken. If this had been something about Android I'd be staring at my screen drooling like a dog looking at a TV.

[ehsankia]

It's also worth that the author doesn't go too much into detail of the how, and focuses more on the what

> With my first account, I started using YouTube, trying every feature, pressing every button I could find, and whenever I saw an HTTP request with a video ID in it, I changed it to the target Private video

Was this done with some tooling or scripts, or purely by eyeing devtools? I could see that step for example being very similar to "parse WireShark logs", for example.

I agree that the level of detail included makes it fairly readable without being to scary to non-experts.

[bostik]

My money is on Burp proxy.

Pretty much every single web vulnerability researcher uses it, to the point of absurdity. Squint hard enough and screwdrivers have a familiar shape, so you of course you look for a big enough hammer.

[Kaze404]

As a web dev trying to get into reverse engineering, this was super interesting to read. With the knowledge I have, it does seem like both things require a certain amalgamation of barely-related knowledge to be able to do effectively, and I didn't realize that until just now.