Infosec In Brief A security researcher has uncovered a vulnerability in Google’s systems that could expose the email addresses of YouTube channels, contradicting the company’s privacy assurances.
Google’s Privacy Promises Shaken
A security researcher known only as Brutecat recently revealed two security flaws that, when combined, could leak email addresses through Google’s YouTube platform. This is particularly concerning as Google has publicly committed to maintaining user privacy.
The Discovery
Brutecat was exploring Google’s People API when he found that blocking a YouTube user relied on an obscured “Gaia” ID, a unique identifier employed across all Google services. According to Google support, blocking a user on YouTube effectively blocks them across all Google platforms, meaning the Gaia ID, not the YouTube account, is what gets blocked.
Brutecat believed that given the history of previous bugs that linked Gaia IDs to email addresses, it was plausible that a similar link existed in some older, less-used Google product.
The Connection
The researcher discovered just such a connection in the web version of Pixel Recorder, an audio recording app exclusive to Google Pixel devices. By sharing a recording from Pixel Recorder to a Gaia ID and analyzing the web request, Brutecat was able to expose the target’s email address.
Typically, such an action would trigger a share notification to the recipient, but Brutecat prevented this by using a Python script to assign an extremely long filename—approximately 2.5 million characters—causing the notification to fail.
Reward and Resolution
Brutecat submitted the findings to Google’s bug bounty program. Initially, Google awarded $3,133. However, after re-evaluating the vulnerability, Google recognized its potential for exploitation and increased the award to $10,633. Google has since fixed the vulnerabilities.
Other Security Updates
Critical Vuln of the Week: FortiOS Follies
Fortinet disclosed a recent vulnerability in its FortiOS operating system. Exploiting this flaw requires connecting the targeted FortiGate firewall to another FortiGate firewall controlled by the attacker. Despite requiring specific conditions, this vulnerability remains significant and warrants attention during the next maintenance window.
Cisco Data Leak: Calm Down
Ransomware gang Kraken claimed to have breached Cisco Systems, exposing sensitive data including privileged administrator credentials and Switchzilla’s Kerberos ticket system. However, Cisco maintained that the incident, which occurred in May 2022, was fully addressed at the time.
According to a Cisco spokesperson, “The incident referenced in the reports occurred back in May 2022, and we fully addressed it at that time.”
DOGE’s Flawed Website
Following Elon Musk’s directive for transparency, his team in the Department of Government Efficiency (DOGE) launched a website, doge.gov, in a rush. However, the site’s design is criticized for its poor construction and security vulnerabilities.
Web developers noted that anyone can make and view changes on the site, raising concerns about its security and governance. The site appears to be hosted on Cloudflare rather than official government servers, further complicating its administration.
Zacks Investment Research Breach Affects 12M Users
Zacks Investment Research experienced another data breach, affecting customers who subscribed prior to June 2024. The leak, which includes 12 million unique email addresses and other personal information, was posted on a hacking forum.
The threat actor gained access to Zacks’ internal files using an Active Directory administrator account, allowing them to steal source code from multiple Zacks-owned sites. While Zacks has not confirmed the breach, it is advisable for affected customers to change their passwords.
FBI’s Cryptocurrency Scam Success
The FBI’s “Operation Level Up” has successfully protected over 4,300 individuals in the US from cryptocurrency investment scams, saving them more than $285 million. The majority of these victims were unaware they were being targeted.
Scams typically involve unsolicited contact, building trust, fake investment offers, and urgent requests. The FBI uses sophisticated techniques to identify individuals at risk and educates them to prevent future incidents.
“Unfortunately, we continue to see these scams grow and evolve every day,” stated FBI CID assistant director Chat Yarbrough. “We will do everything we can to stop them from targeting U.S. citizens.”
Conclusion
These security incidents highlight the ever-evolving landscape of cybersecurity threats. Whether it’s protecting email addresses on YouTube or combating sophisticated ransomware attacks, the importance of robust security measures cannot be overstated. Stay informed and cautious to safeguard your personal and organizational data.
We encourage our readers to comment below with your thoughts, subscribe for regular updates, and share this article on social media to help raise awareness about these critical issues.
