Google corrected a major security flaw that could have exposed the e-mail addresses of YouTubers

Google has corrected a security defect which exposed the email addresses of YouTube Users, a potentially massive confidentiality violation.

Google – which has YouTube – has confirmed that vulnerabilities discovered by cybersecurity researchers, who go through Brutecat And Nathanwere sent, according to a report in BIP computer.

Aside from the violation of privacy which would have affected all the YouTube accounts, many YouTubers such as the creators of controversial content, the investigators, the denunciators and the activists keep their anonymous identity to protect their security. Exposing the emails of these users could have had huge ramifications.

Brutecat discovered that the blocking of a user on YouTube revealed a unique internal identifier that Google uses for each user on all its platforms (Gmail, Google Drive, etc.) called ID Gaia. They then understood that the simple fact of clicking on the three -point icon from the cat profile live from a user to access the block function triggered a request for API which revealed their ID Gaia.

This in itself is already a lack of security because it has exposed the unique identifiers for the YouTube accounts which are only supposed to be used internally. But now that Brutecat has been able to recover the ID Gaia from users, they have decided to see if they could reveal the email addresses associated with each identifier.

With the help of Nathan, the two researchers supposed that they could do it with “the old google products forgotten because they probably contained a bug or a logical fault to resolve a Gaia identifier to an email”. By using the Google recorder application for Pixel devices, they tested the sharing of a recording with an obscured Gaia ID and prevented the user from receiving an email notification by rejoining the file with a letter name 2.5 million, which broke the e-mail notification system because it was too long.

Now that the hypothetical victim would not be informed, the researchers have sent the request for file sharing with the ID Gaia, effectively converting the ID to an e-mail address.

Thanks to Brutecat and Nathan Sleuthing, Google was able to lock this vulnerability and prevent the pirates from accessing the email address of each associated with their YouTube accounts. Vulnerability was disclosed to Google in September 2024 and was finally set on February 9, 2025. It was long for potential exposure, but Google confirmed to Bleeping Compompute that there was “no sign that any attacker actively exploited the faults “.

In exchange for their work, the researchers received $ 10,633. Phew, the crisis avoided.