- cross-posted to:
- privacy@lemmy.dbzer0.com
- cross-posted to:
- privacy@lemmy.dbzer0.com
Andisearch Writeup
A security researcher known as Brutecat discovered a vulnerability that could expose the email addresses of YouTube’s 2.7 billion users by exploiting two separate Google services[1][2]. The attack chain involved extracting Google Account identifiers (GaiaIDs) from YouTube’s block feature, then using Google’s Pixel Recorder app to convert these IDs into email addresses[1:1].
To prevent notification emails from alerting victims, Brutecat created recordings with 2.5 million character titles that broke the email notification system[1:2]. The exploit worked by intercepting server requests when clicking the three-dot menu in YouTube live chats, revealing users’ GaiaIDs without actually blocking them[2:1].
Brutecat reported the vulnerability to Google on September 15, 2024[1:3]. Google initially awarded $3,133, then increased the bounty to $10,633 after their product team reviewed the severity[1:4]. According to Google spokesperson Kimberly Samra, there was no evidence the vulnerability had been exploited by attackers[2:2].
Google patched both parts of the exploit on February 9, 2025, approximately 147 days after the initial disclosure[1:5].
You must log in or register to comment.
Why not couch the article as “a vulnerability was found and patched” instead of “something bad could have happened”?
“STORE COULD HAVE BEEN ROBBED!! A bystander noticed the door wasn’t locked, with the owner realizing he hadn’t been locking it correctly. There is no evidence anyone broke in.”
News in the porcelain village in Oz.
Because with stores, the evidence would be missing products. Very easy to see. With bugs like this, a million people could have abused it, or one. Either way that data is likely available to all who want it.
A better comparison is, store posted list of their customer’s addresses on the back door. No clue how many people walked by there much less if anyone copied it down.
Problem is that knowing the link between a person’s profile and their email now means you know the link between their account and their accounts in many other places. That information could be used to offer the person different prices at stores, attack them for being a minority or activist, to hack their account because their password was leaked from another site that uses that email,or all the other things these cumulative leaks add up to.
That isn’t “something bad could have happened”, but “how much has already happened” because of this.
Really glad I do not have a google account and avoid all of their services. 🙂
Google even in this way logs your activity, because half of the internet, apps and services, apart of YT, use Google APIs, like google-taskmanager, googleanalytics, doubleclick.net and others, not only the Google services. Google permiys to manage and delete all this data, naturally it don’t say it and only few user know it, in the Google Dashboard. but only if you have an account. It’s a mess, but Google (Alphabet INC) is everywhere, you can’t avoid it completly, even avoiding its services, except using exclusively i2p or other descentralized apps and services. Google has had too many years a complete freedom to dominate the internet and ending its “don’t be evil”.
Well, let’s hope Brutecat is a lamb. Jesus.
Another argument in favor of not sharing any information with Big Data companies when you can help it: when they don’t abuse it themselves, they mishandle it.
I don’t disagree, but what more could Google do here? They had a flaw in their system that required two completely different services at Google in order to exploit and the result is an email address, not access to the account itself. Google also is actively paying for people to help them find these issues. I think they did a stellar job here, but of course being perfect with the security if the software implementations is always the best case.
What I’m saying is, the best way to ensure Google doesn’t leak your email address is to not provide your email address to Google.
No email address should be necessary to watch Youtube videos. The only reason Google wants your details is to track your watching habits more easily.
I completely agree. This shit came down when they had their failed social circled thing where they broke search operators and required a Google account for YouTube. They’ve been on the full-blown path to enshittification ever since.
