Google has fixed a security flaw that exposed the email addresses of YouTube users,?? ?? ??? a potentially massive privacy breach.
Google — which owns YouTube — has confirmed that the vulnerabilities discovered by cybersecurity researchers, who go by Brutecat and Nathan, have been addressed, according to a report in BleepingComputer.
Aside from the breach of privacy that would've affected all YouTube accounts, many YouTubers like controversial content creators, investigators, whistleblowers, and activists keep their identities anonymous to protect their safety. Exposing such users' emails could have had huge ramifications.
Brutecat discovered that blocking a user on YouTube revealed a unique internal identifier Google uses for each user across all of its platforms (Gmail, Google Drive, etc.) called a Gaia ID. They then figured out that simply clicking the three dot icon of a user's live chat profile to access the block function triggered an API request that revealed their Gaia ID.
This in itself is already a security flaw since it exposed the unique identifiers for YouTube accounts that is only meant to be used internally. But now that Brutecat was able to retrieve users' Gaia IDs, they set out to see if they could reveal the email addresses associated with each ID.
With Nathan's help, the two researchers surmised they could do this with "old forgotten Google products since they probably contained some bug or logic flaw to resolve a Gaia ID to an email." Using Google's Recorder app for Pixel devices, they tested sharing a recording with an obfuscated Gaia ID and blocked the user from receiving an email notification by renaming the file with a 2.5 million letter name, which broke the email notification system because it was too long.
Now that the hypothetical victim wouldn't be notified, the researchers sent the file sharing request with the Gaia IDs, effectively converting the ID into an email address.
Thanks to Brutecat and Nathan's sleuthing, Google was able to lock down that vulnerability and prevent hackers from accessing everyone's email address associated with their YouTube accounts. The vulnerability was disclosed to Google in Sep. 2024 and was finally fixed on Feb. 9, 2025. That's a long time for potential exposure, but Google confirmed to BleepingComputer that there were "no signs that any attacker actively exploited the flaws."
In exchange for their work, the researchers received a cool $10,633. Phew, crisis averted.
Previous:A Show of Skin
‘A Principled Stand’ Tells Gordon Hirabayashi’s Story in His Own Words
Fear and Loathing on Melrose Place
Google launches citizen science project to help protect coral reefs
One of the best Nintendo Switch 2 launch games is just $15
L.A. Japan Fair 2013 at OC Fairground
After Pornhub left France, this VPN saw a 1,000% surge in minutes
US biggest importer of Chinese batteries for fifth straight year · TechNode
Audible deal: Get Premium Plus for a year for $89
'Space Battleship Yamato' at Downtown Independent
Archival Frictions
GamerLegion make it to Paris Major semi
Best kitchen deal: Save $70 on the Ninja Pizza Oven at Amazon
Best sex toy deals (June 2025)
Audible deal: Get Premium Plus for a year for $89
'Star Trek' Designers to Be Honored at Cal State L.A.'s Eagle Con
DeepSeek releases new models Janus
BYD was top
The first images of Earth are chilling
sh1ro stars as Cloud9 overcome Imperial in IEM Rio Major elimination series
Today's Hurdle hints and answers for June 6, 2025
Amazon Prime Day book deals: Up to 50% off booksThe 3 best October Prime Day robot vacuum deals — according to an expertNYT Connections hints and answers for January 3: Tips to solve 'Connections' #572.Texas vs. Arizona State football livestreams: kickoff time, streaming deals, and moreNYT Connections Sports Edition hints and answers for January 2: Tips to solve Connections #101Atlanta Hawks vs. Los Angeles Lakers 2025 livestream: Watch NBA onlineThe best Lego deals of Prime Big Deal Days 2024October Prime Day 2024: Our top lightning dealsNYT Connections Sports Edition hints and answers for January 2: Tips to solve Connections #101How to watch 'Furiosa: A Mad Max Saga' at home in 2024 NYT mini crossword answers for November 28 Early Black Friday 2 Shop the best early Black Friday deals on Kindles this Thanksgiving Peloton Bike deal: save $350 at Amazon Early Black Friday AirPods deals: Max and Pro models are already discounted Best Black Friday deals that make great stocking stuffers Strava DMs are now open Best food delivery deal: Amazon Prime members are eligible for a year Disgraced Congressman George Santos opens a Cameo account Fitbit Ace 3 activity tracker for kids: Now at its lowest price ever
0.2818s , 9845.8359375 kb
Copyright © 2025 Powered by 【?? ?? ???】Google patched a major security flaw that could've exposed YouTubers' email addresses,Feature Flash
