- cross-posted to:
- [email protected]
- cross-posted to:
- [email protected]
Andisearch Writeup
A security researcher known as Brutecat discovered a vulnerability that could expose the email addresses of YouTube’s 2.7 billion users by exploiting two separate Google services[1][2]. The attack chain involved extracting Google Account identifiers (GaiaIDs) from YouTube’s block feature, then using Google’s Pixel Recorder app to convert these IDs into email addresses[1:1].
To prevent notification emails from alerting victims, Brutecat created recordings with 2.5 million character titles that broke the email notification system[1:2]. The exploit worked by intercepting server requests when clicking the three-dot menu in YouTube live chats, revealing users’ GaiaIDs without actually blocking them[2:1].
Brutecat reported the vulnerability to Google on September 15, 2024[1:3]. Google initially awarded $3,133, then increased the bounty to $10,633 after their product team reviewed the severity[1:4]. According to Google spokesperson Kimberly Samra, there was no evidence the vulnerability had been exploited by attackers[2:2].
Google patched both parts of the exploit on February 9, 2025, approximately 147 days after the initial disclosure[1:5].
What I’m saying is, the best way to ensure Google doesn’t leak your email address is to not provide your email address to Google.
No email address should be necessary to watch Youtube videos. The only reason Google wants your details is to track your watching habits more easily.
I completely agree. This shit came down when they had their failed social circled thing where they broke search operators and required a Google account for YouTube. They’ve been on the full-blown path to enshittification ever since.