- cross-posted to:
- [email protected]
- cross-posted to:
- [email protected]
cross-posted from: https://lemmy.ml/post/26039725
Andisearch Writeup
A security researcher known as Brutecat discovered a vulnerability that could expose the email addresses of YouTube’s 2.7 billion users by exploiting two separate Google services[1][2]. The attack chain involved extracting Google Account identifiers (GaiaIDs) from YouTube’s block feature, then using Google’s Pixel Recorder app to convert these IDs into email addresses[1:1].
To prevent notification emails from alerting victims, Brutecat created recordings with 2.5 million character titles that broke the email notification system[1:2]. The exploit worked by intercepting server requests when clicking the three-dot menu in YouTube live chats, revealing users’ GaiaIDs without actually blocking them[2:1].
Brutecat reported the vulnerability to Google on September 15, 2024[1:3]. Google initially awarded $3,133, then increased the bounty to $10,633 after their product team reviewed the severity[1:4]. According to Google spokesperson Kimberly Samra, there was no evidence the vulnerability had been exploited by attackers[2:2].
Google patched both parts of the exploit on February 9, 2025, approximately 147 days after the initial disclosure[1:5].
You must log in or register to comment.
I don’t consider username/passwords to be secure information. Everything has been hacked a few times now, not even sure how there is even any value in it.
