Google has patched two serious security flaws that, when exploited together, could have revealed the email addresses of YouTube users—posing a major privacy risk, especially for those who rely on anonymity.
Security researchers BruteCat (brutecat.com) and Nathan (schizo.org) uncovered the vulnerabilities, which stemmed from weaknesses in YouTube’s and Pixel Recorder’s APIs. By chaining these flaws, attackers could retrieve a user’s unique Google Gaia ID and convert it into an email address.
Gaia IDs are internal Google identifiers meant to manage user accounts across Gmail, YouTube, Drive, and other services. These IDs are not supposed to be public, but researchers found a way to extract them through YouTube’s live chat feature.
The Exploited API Loopholes
The first flaw involved YouTube’s API leaking Gaia IDs when a user attempted to block someone in live chat. Researchers discovered that simply clicking the three-dot menu in a chat triggered an API request, revealing the targeted user’s Gaia ID in a base64-encoded response.
Once they had the Gaia ID, the next challenge was converting it into an email address. Older Google APIs that allowed this had been deprecated, but after some digging, Nathan found that Pixel Recorder still had a web-based API that could do the conversion. By using the file-sharing feature in Pixel Recorder, they were able to retrieve the email address linked to the Gaia ID.
Google’s Response & Fix
BruteCat and Nathan reported the issue to Google on September 24, 2024. Initially, Google classified the bug as a duplicate of a previously known issue and only awarded a $3,133 bounty. However, once researchers demonstrated the Pixel Recorder exploit, Google acknowledged the severity of the problem and increased the bounty to $10,633.
Google has now patched the vulnerabilities by preventing Gaia ID leaks and blocking their conversion into emails via Pixel Recorder. Additionally, blocking a user on YouTube will no longer affect other Google services.
Google confirmed to BleepingComputer that the security flaws have been fully mitigated and, fortunately, there’s no evidence that hackers exploited them before the fix.
