search

Benjamin-Loison / YouTube-operational-API

YouTube operational API works when YouTube Data API v3 fails.
378 stars 46 forks source link

Monitor no-key service key rotation #315

Open Benjamin-Loison opened 1 day ago

Benjamin-Loison commented 1 day ago

https://discord.com/channels/933841502155706418/933841503103627316/1290273845143404565

Benjamin-Loison commented 1 day ago

https://www.php.net/manual/en/function.hash-algos.php

print_r(hash_algos());
Output: ``` Array ( [0] => md2 [1] => md4 [2] => md5 [3] => sha1 [4] => sha224 [5] => sha256 [6] => sha384 [7] => sha512/224 [8] => sha512/256 [9] => sha512 [10] => sha3-224 [11] => sha3-256 [12] => sha3-384 [13] => sha3-512 [14] => ripemd128 [15] => ripemd160 [16] => ripemd256 [17] => ripemd320 [18] => whirlpool [19] => tiger128,3 [20] => tiger160,3 [21] => tiger192,3 [22] => tiger128,4 [23] => tiger160,4 [24] => tiger192,4 [25] => snefru [26] => snefru256 [27] => gost [28] => gost-crypto [29] => adler32 [30] => crc32 [31] => crc32b [32] => crc32c [33] => fnv132 [34] => fnv1a32 [35] => fnv164 [36] => fnv1a64 [37] => joaat [38] => murmur3a [39] => murmur3c [40] => murmur3f [41] => xxh32 [42] => xxh64 [43] => xxh3 [44] => xxh128 [45] => haval128,3 [46] => haval160,3 [47] => haval192,3 [48] => haval224,3 [49] => haval256,3 [50] => haval128,4 [51] => haval160,4 [52] => haval192,4 [53] => haval224,4 [54] => haval256,4 [55] => haval128,5 [56] => haval160,5 [57] => haval192,5 [58] => haval224,5 [59] => haval256,5 ) ```
Benjamin-Loison commented 1 day ago

https://www.php.net/manual/en/function.hash.php

echo hash('sha512', '');
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e
echo -n | sha512sum
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e  -
Benjamin-Loison commented 1 day ago 
date(DATE_ATOM)

We need millisecond precision, as 2 keys may be tested in a second.

The Stack Overflow answer 11424665 helps.

//use \Datetime;

$now = new DateTime();
echo $now->getTimestamp();
die();
Benjamin-Loison commented 1 day ago

If the key is removed, then its hash does not make me able to get the initial YouTube Data API v3 key.

Benjamin-Loison commented 1 day ago 
function logg($filePath, $toWrite) {
    $toWrite = floor(microtime(true) * 1000) . ' ' . $toWrite;
    file_put_contents($filePath, $toWrite . "\n", FILE_APPEND);
}
logg('no_key_logs.txt', hash('sha512', 'XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX' . $key));
logg('../no_key_logs_secret.txt', "New key $key");

http://yt.lemnoslife.com/no_key_logs.txt

/var/www/no_key_logs_secret.txt

However, making people able to distinguish a key from another can interesting.

Benjamin-Loison commented 1 day ago

Note that an interesting metric is how many days it takes to loop on an already used key.

Having some anonymized logs to let people see people's usage and involved quota usage. However, have to ensure that requests do not leak any private information by specifying the shape of correct requests. If consider URLs it is not too much complicated to list all YouTube Data API v3 and YouTube operational API web-scraping endpoints, however for parameters it starts being annonying except if automatize.

Benjamin-Loison commented 1 day ago

It seems that the mutex is not actually exclusive.

cut -d ' ' -f 2 no_key_logs.txt | uniq | wc -l

helps.