This post is also available in:
עברית (Hebrew)
A recent discovery by security researchers has revealed a significant flaw in YouTube’s privacy measures, allowing the email addresses of users to be accessed without their knowledge. The vulnerability, which was traced back to several interconnected issues across Google’s ecosystem, has since been patched by the tech giant, with the researchers awarded a $10,633 bounty for their findings.
The researcher, known as Brutecat, demonstrated how a simple exploit could pull email addresses tied to any YouTube account. Initially, Brutecat discovered that YouTube exposed a unique identifier called the GAIA ID. This ID is used for tracking user accounts across various Google services. By attempting to block a YouTube user, Brutecat could easily obtain the channel name and an obfuscated GAIA ID from the server response. Intriguingly, the GAIA ID appeared even without blocking the user—simply clicking on the three-dot menu was enough to expose it, affecting potentially all four billion YouTube channels.
The second stage of the exploit involved converting the GAIA ID into the actual email address associated with the account. Collaborating with another security researcher, Nathan from schizo.org, Brutecat examined older Google products for additional vulnerabilities. The pair found that an endpoint in the Pixel Recorder app returned the user’s email when attempting to share a recording, provided the GAIA ID was sent. Although Google sent notifications to users whenever their email was accessed in this manner, the researchers found a clever workaround: they set the recording title to an exceptionally long string of characters—2.5 million ‘X’ letters—stopping the notification system from triggering.
This chain of vulnerabilities allowed the researchers to retrieve YouTube users’ email addresses unnoticed. Brutecat reported the issue to Google in mid-September 2024, with the tech giant eventually granting him $10,633 for the discovery.
