Google Fixes Critical Vulnerabilities That Exposed YouTube Users’ Email Addresses

Google has resolved two security flaws that, when combined, could reveal the email addresses of YouTube users, potentially leading to a severe privacy breach for those attempting to remain anonymous.

Discovery of the Vulnerabilities

These vulnerabilities were unearthed by security researchers Brutecat (brutecat.com) and Nathan (schizo.org). Their investigation revealed that YouTube and Pixel Recorder APIs could be exploited to obtain users’ Google Gaia IDs and then convert them into their corresponding email addresses.

Risk to Privacy

This breach poses a significant risk to content creators, whistleblowers, and activists who rely on anonymity. Access to their email addresses could compromise their identities and content security.

How the Flaws Worked

The first vulnerability was identified in Google’s Internal People API. Researchers found that YouTube’s blocking feature in live chat revealed the targeted user’s obfuscated Gaia ID within an API response.

Simply clicking on the three-dot menu in a chat triggered the API request, allowing researchers to access the ID without the need to block the user. This method also worked on any YouTube channel.

Converting Gaia ID to Email

Once the Gaia ID was obtained, the researchers needed to convert it into an email address. They discovered that the deprecated APIs for this purpose were no longer functional. However, they found a way to use the web-based API of Pixel Recorder, which shares recordings and returns the associated email address.

Submitting the Gaia ID to the Pixel Recorder sharing feature returned the linked email address, potentially exposing millions of YouTube users.

Privacy Impact Across Google Services

These vulnerabilities affected more than just YouTube. Gaia IDs are used across Google services including Maps, Play, and Pay, posing a risk to all Google users. The Exposure could reveal the email address linked to a Google account.

Preventing Notification Alerts

To prevent alerts from being sent to users, the researchers manipulated the title data in the sharing request to include an excessively long title. This caused the email notification service to fail, ensuring that malicious activity would not be detected.

Resolution by Google

BruteCat and Nathan disclosed the vulnerabilities to Google on September 24, 2024, and Google addressed the issues by fixing the Gaia ID leak and the Gaia ID to email flaw via Pixel Recorder. They also ensured that blocking a user on YouTube would not impact other services.

Google confirmed that there are no signs of active exploitation of these vulnerabilities.

Conclusion

This incident highlights the importance of regular security audits and responsible disclosure practices. While Google took swift action to address these vulnerabilities, the potential impact underscores the need for continuous vigilance in protecting user privacy across digital platforms.

Stay informed about the latest in digital security and trust in platforms that prioritize user privacy.