Cybersecurity Experts Discover Major Security Vulnerability in YouTube and Google

Uncategorized Mihnea


**Google Addresses Security Vulnerability That Could Have Revealed YouTube Users’ Email Addresses**

Google has rectified a security issue that had the potential to expose the email addresses of YouTube users, which could result in a serious violation of privacy.

The vulnerability, identified by cybersecurity experts known as [Brutecat](https://brutecat.com/articles/leaking-youtube-emails) and [Nathan](https://schizo.org/), has now been resolved, as reported by [BleepingComputer](https://www.bleepingcomputer.com/news/security/google-fixes-flaw-that-could-unmask-youtube-users-email-addresses/).

This problem represented a significant threat, as numerous YouTube users—including contentious creators, investigators, whistleblowers, and activists—depend on anonymity for their protection. An exposure of their email addresses could have led to dire repercussions.

### Mechanism of the Vulnerability

Brutecat found that blocking a user on YouTube disclosed a distinct internal identifier utilized across Google’s services, referred to as a Gaia ID. By using the three-dot menu on a user’s live chat profile and selecting the block option, an API request was initiated that revealed this identifier.

The mere exposure of Gaia IDs was already a security risk, prompting the researchers to investigate whether these IDs could be connected to email addresses.

With Nathan’s assistance, they delved into older Google products, suspecting potential overlooked vulnerabilities. They discovered that Google’s Recorder app on Pixel devices could be exploited for this function. By sharing a recording containing an obscured Gaia ID and avoiding an email alert (by giving the file an excessively long name), they managed to navigate around the system.

This enabled them to send a file-sharing request with the Gaia ID, effectively transforming it into an email address.

### Google’s Action

Thanks to the diligent work of Brutecat and Nathan, Google successfully resolved the vulnerability and thwarted possible exploitation. The researchers flagged the issue in September 2024, and Google officially addressed it on February 9, 2025.

Despite the flaw remaining unaddressed for several months, Google assured BleepingComputer that there was no indication of it being exploited by malicious users.

As a token of appreciation for their findings, the researchers were awarded a $10,633 bounty. Crisis averted!