For at least four months, YouTube was vulnerable to a sneaky exploit that could have leaked the email address of any of its users — all 2.7 billion of them.

Andisearch Writeup

A security researcher known as Brutecat discovered a vulnerability that could expose the email addresses of YouTube’s 2.7 billion users by exploiting two separate Google services[1][2]. The attack chain involved extracting Google Account identifiers (GaiaIDs) from YouTube’s block feature, then using Google’s Pixel Recorder app to convert these IDs into email addresses[1:1].

To prevent notification emails from alerting victims, Brutecat created recordings with 2.5 million character titles that broke the email notification system[1:2]. The exploit worked by intercepting server requests when clicking the three-dot menu in YouTube live chats, revealing users’ GaiaIDs without actually blocking them[2:1].

Brutecat reported the vulnerability to Google on September 15, 2024[1:3]. Google initially awarded $3,133, then increased the bounty to $10,633 after their product team reviewed the severity[1:4]. According to Google spokesperson Kimberly Samra, there was no evidence the vulnerability had been exploited by attackers[2:2].

Google patched both parts of the exploit on February 9, 2025, approximately 147 days after the initial disclosure[1:5].

  1. Brutecat - Leaking the email of any YouTube user for $10,000 ↩︎ ↩︎ ↩︎ ↩︎ ↩︎ ↩︎

  2. Forbes - YouTube Bug Could Have Exposed Emails Of 2.7 Billion Users ↩︎ ↩︎ ↩︎

  • notfromhere@lemmy.ml
    11·
    7 days ago

    I completely agree. This shit came down when they had their failed social circled thing where they broke search operators and required a Google account for YouTube. They’ve been on the full-blown path to enshittification ever since.