Set as Homepage - Add to Favorites

【Ongoing Archives】

Source:Creation Information Network Editor:Life Time:2025-06-26 05:06:58

Google has fixed a security flaw that exposed the email addresses of YouTube users,Ongoing Archives a potentially massive privacy breach.

Google — which owns YouTube — has confirmed that the vulnerabilities discovered by cybersecurity researchers, who go by Brutecat and Nathan, have been addressed, according to a report in BleepingComputer.

Aside from the breach of privacy that would've affected all YouTube accounts, many YouTubers like controversial content creators, investigators, whistleblowers, and activists keep their identities anonymous to protect their safety. Exposing such users' emails could have had huge ramifications.

You May Also Like
SEE ALSO: Google is reportedly developing a ‘fake’ email feature to help you avoid spam

Brutecat discovered that blocking a user on YouTube revealed a unique internal identifier Google uses for each user across all of its platforms (Gmail, Google Drive, etc.) called a Gaia ID. They then figured out that simply clicking the three dot icon of a user's live chat profile to access the block function triggered an API request that revealed their Gaia ID.

Mashable Light Speed Want more out-of-this world tech, space and science stories? Sign up for Mashable's weekly Light Speed newsletter. By clicking Sign Me Up, you confirm you are 16+ and agree to our Terms of Use and Privacy Policy. Thanks for signing up!

This in itself is already a security flaw since it exposed the unique identifiers for YouTube accounts that is only meant to be used internally. But now that Brutecat was able to retrieve users' Gaia IDs, they set out to see if they could reveal the email addresses associated with each ID.

With Nathan's help, the two researchers surmised they could do this with "old forgotten Google products since they probably contained some bug or logic flaw to resolve a Gaia ID to an email." Using Google's Recorder app for Pixel devices, they tested sharing a recording with an obfuscated Gaia ID and blocked the user from receiving an email notification by renaming the file with a 2.5 million letter name, which broke the email notification system because it was too long.

Now that the hypothetical victim wouldn't be notified, the researchers sent the file sharing request with the Gaia IDs, effectively converting the ID into an email address.

Related Stories
  • Apple Maps follows Google, relabels Gulf of Mexico as America
  • Google: We're not participating in European fact-checking rules for Search or YouTube
  • YouTuber GamersNexus sues Honey over alleged scam

Thanks to Brutecat and Nathan's sleuthing, Google was able to lock down that vulnerability and prevent hackers from accessing everyone's email address associated with their YouTube accounts. The vulnerability was disclosed to Google in Sep. 2024 and was finally fixed on Feb. 9, 2025. That's a long time for potential exposure, but Google confirmed to BleepingComputer that there were "no signs that any attacker actively exploited the flaws."

In exchange for their work, the researchers received a cool $10,633. Phew, crisis averted.

Topics Cybersecurity YouTube

Previous:Amazon Pet Day: All the best deals

Next:Best portable power station deal: Save $179.01 on the EcoFlow River 2 Max

Related Articles
Related Recommendations
Categories
Latest Articles
Popular Articles
Hot Recommendations
Featured Column

Quick Links

What David Foster Wallace Taught Paul Thomas AndersonStanisław Barańczak’s “This Is Not a Conversation for the Telephone” by Dan PiepenbringPurchase a new Samsung tablet, get $100 in Amazon credit20 things you've seen on TikTok that are available on Amazon (and make great gifts)Whatever Became of the Pinkertons?What David Foster Wallace Taught Paul Thomas AndersonThe Other Side of FaceMicrosoft will offer legal protections to its AI Copilot usersWordle today: Here's the answer and hints for September 11Caleb Crain on Darren Aronofsky’s film NoahTropicana toothpaste review: Finally, you can drink orange juice after brushing your teethFinally, the feminine urge is taking over TwitterThe Case of the Arabic NoirsAn Interview with Thomas PierceJoan Didion’s New Advertisement for the Fashion Label CélineApple Watch Series 9 announced: Specs, prices, release dateThe Morning News Roundup for January 5, 2015Whatever Became of the Pinkertons?8 Sculptures and Drawings by Marisol EscobarThe Morning News Roundup for January 12, 2015 Dewalt Grease Gun Kit deal: Save $140 at Amazon NVIDIA to partner with Bosch and PACCAR for self Strawberry Trump wants to kill the energy program that helped make Tesla what it is today This nonprofit is selling tiny $6 hijabs for children to put on their dolls The real story behind Trump's fake Irish/Nigerian 'proverb' Online crowdsourcing for psychology ain't without pitfalls Google's figured out how to store even more selfies on your phone In honor of St. Patrick's Day, here is the Irish prime minister trolling Trump Chelsea Clinton is writing a children's book, and its title is just perfect So March Madness has Bill Murray going for it, which is nice Let's all pour one out for Vista, the worst version of Windows Here's how to check which of your apps Apple's about to brick Women found Trump's body language towards Angela Merkel so painfully familiar Donald Trump tweets about St. Patrick's Day, everyone makes the same joke Google Home is now playing unprompted ads for 'Beauty and the Beast' Have the time of your life playing with this 'Dirty Dancing' inspired makeup palette Antarctica has way more penguins than scientists thought, which is great, because penguins Henry Cavill announces role in 'Mission: Impossible 6' in the cheekiest possible way Here are the new 'Monopoly' pieces you monsters voted to replace the iconic thimble

2.454s , 10130.1171875 kb

Copyright © 2025 Powered by 【Ongoing Archives】,Creation Information Network  

Sitemap

Top

Quick Links