Google fixes flaw that could unmask YouTube users’ email addresses – BleepingComputer
Google fixes flaw that could unmask YouTube users’ email addressesBadPilot network hacking campaign fuels Russian SandWorm attacksMicrosoft February 2025 Patch Tuesday fixes 4 zero-days, 55 flawsDPRK hackers dupe targets into typing PowerShell commands as adminGet started as a YouTube content creator with this course dealDutch Police seizes 127 XHost servers, dismantles bulletproof hosterHacker leaks account data of 12 million Zacks Investment usersChinese espionage tools deployed in RA World ransomware attackHow to access the Dark Web using the Tor BrowserHow to enable Kernel-mode Hardware-enforced Stack Protection in Windows 11How to use the Windows Registry EditorHow to backup and restore the Windows RegistryHow to start Windows in Safe ModeHow to remove a Trojan, Virus, Worm, or other MalwareHow to show hidden files in Windows 7How to see hidden files in WindowsRemove the Theonlinesearch.com Search RedirectRemove the Smartwebfinder.com Search RedirectHow to remove the PBlock+ adware browser extensionRemove the Toksearches.xyz Search RedirectRemove Security Tool and SecurityTool (Uninstall Guide)How to Remove WinFixer / Virtumonde / Msevents / Trojan.vundoHow to remove Antivirus 2009 (Uninstall Instructions)How to remove Google Redirects or the TDSS, TDL3, or Alureon rootkit using TDSSKillerLocky Ransomware Information, Help Guide, and FAQCryptoLocker Ransomware Information Guide and FAQCryptorBit and HowDecrypt Information Guide and FAQCryptoDefense and How_Decrypt Ransomware Information Guide and FAQQualys BrowserCheckSTOPDecrypterAuroraDecrypterFilesLockerDecrypterAdwCleanerComboFixRKillJunkware Removal TooleLearningIT Certification CoursesGear + GadgetsSecurityBest VPNsHow to change IP addressAccess the dark web safelyBest VPN for YouTubeGoogle has fixed two vulnerabilities that, when chained together, could expose the email addresses of YouTube accounts, causing a massive privacy breach for those using the site anonymously.The flaws were discovered by security researchers Brutecat (brutecat.com) and Nathan (schizo.org), who found that YouTube and Pixel Recorder APIs could be used to obtain user’s Google Gaia IDs and convert them into their email addresses.The ability to convert a YouTube channel into an owner’s email address is a significant privacy risk to content creators, whistleblowers, and activists relying on being anonymous online.The first part of the attack chain, which was exploitable for months, was discovered after BruteCat looked through Google’s Internal People API and found that Google’s network-wide “blocking” feature required an obfuscated Gaia ID and a display name.A Gaia ID is a unique internal identifier Google uses to manage accounts across its network of sites. As users register for a single “Google Account” that is used across all of Google’s sites, this ID is the same throughout Gmail, YouTube, Google Drive, and other Google services.However, this ID is not meant to be public and is for internal use to share data between Google’s systems.Playing around with the blocking feature on YouTube, BruteCat discovered that when attempting to block someone in a live chat, YouTube exposes the targeted person’s obfuscated Gaia ID in a response from the /youtube/v1/live_chat/get_item_context_menu API request.The response included base64 encoded data that, when decoded, contained the Gaia ID of that user.The researchers found that simply clicking on the three-dot menu in a chat triggered a background request to YouTube’s API, allowing them to access the ID without having to block them. By modifying the API call, the researchers retrieved the Gaia ID of any YouTube channel, including those attempting to remain anonymous.Armed with the Gaia ID, they now wanted to figure out a way to convert it into an email address, which would increase the flaw’s severity.However, older APIs that could do this have been deprecated or no longer work, so BruteCat and Nathan began looking for old, outdated Google services that could potentially still be exploited.After experimenting, Nathan discovered that Pixel Recorder has a web-based API that could be used to convert the ID into an email when sharing a recording.This meant that once a YouTube user’s Gaia ID was obtained, it could be submitted to the Pixel Recorder sharing feature, which then returned the associated email address, potentially compromising the identity of millions of YouTube users.”Gaia IDs are leaked across several Google products apart from just YouTube (Maps, Play, Pay), causing a significant privacy risk for all Google users, as they can be used to reveal the email address tied to the Google account,” the researchers told BleepingComputer.While the researchers now had a way of getting an email address from Gaia ID, the service also notified the users of the shared file, potentially alerting them of the malicious activity.As the notification email included a video’s title in the email notification, the researchers modified their request to include millions of characters in the title data, which caused the email notification service to fail and not send the email.The researchers disclosed the flaw to Google on September 24th, 2024, and it was ultimately fixed last week on February 9th, 2025.Google initially responded that the vulnerability was a duplicate of a previously tracked bug, only awarding a $3,133 bounty. However, after demonstrating the additional Pixel Recorder component, they increased the bounty to $10,633, citing a high likelihood that it would be exploited.BruteCat and Nathan told BleepingComputer that Google mitigated the bugs by fixing the Gaia ID leak and the Gaia ID to Email flaw via Pixel Recorder. Google also made it so blocking a user on YouTube only impacted that site and would not affect other services.Google has confirmed to BleepingComputer that mitigations for the bugs are now completed and that there are no signs that any attacker actively exploited the flaws.Google says hackers abuse Gemini AI to empower their attacksGoogle blocked 2.36 million risky Android apps from Play Store in 2024Google to kill Chrome Sync on older Chrome browser versionsGoogle launches customizable Web Store for Enterprise extensionsNew Android Identity Check locks settings outside trusted locationsNot a member yet? Register NowFortinet discloses second firewall auth bypass patched in JanuaryWindows 10 KB5051974 update force installs new Microsoft Outlook appApple fixes zero-day exploited in ‘extremely sophisticated’ attacksRequest your complimentary data risk assessment for AWSRDP Security Simplified – No VPN, No Firewall Exposure. Get a free TruGrid business trial.RDP Security Simplified – No VPN, No Firewall Exposure. Get a free TruGrid business trial.Get the GOAT Guide to learn how to start validating, start defending, and start winning.Password health-check overdue? Audit your Active Directory for freeTerms of Use – Privacy Policy – Ethics Statement – Affiliate DisclosureCopyright @ 2003 – 2025 Bleeping Computer® LLC – All Rights ReservedNot a member yet? Register NowRead our posting guidelinese to learn what content is prohibited.
