For at least four months, YouTube was vulnerable to a sneaky exploit that could have leaked the email address of any of its users — all 2.7 billion of them.

Andisearch Writeup

A security researcher known as Brutecat discovered a vulnerability that could expose the email addresses of YouTube’s 2.7 billion users by exploiting two separate Google services[1][2]. The attack chain involved extracting Google Account identifiers (GaiaIDs) from YouTube’s block feature, then using Google’s Pixel Recorder app to convert these IDs into email addresses[1:1].

To prevent notification emails from alerting victims, Brutecat created recordings with 2.5 million character titles that broke the email notification system[1:2]. The exploit worked by intercepting server requests when clicking the three-dot menu in YouTube live chats, revealing users’ GaiaIDs without actually blocking them[2:1].

Brutecat reported the vulnerability to Google on September 15, 2024[1:3]. Google initially awarded $3,133, then increased the bounty to $10,633 after their product team reviewed the severity[1:4]. According to Google spokesperson Kimberly Samra, there was no evidence the vulnerability had been exploited by attackers[2:2].

Google patched both parts of the exploit on February 9, 2025, approximately 147 days after the initial disclosure[1:5].

  1. Brutecat - Leaking the email of any YouTube user for $10,000 ↩︎ ↩︎ ↩︎ ↩︎ ↩︎ ↩︎

  2. Forbes - YouTube Bug Could Have Exposed Emails Of 2.7 Billion Users ↩︎ ↩︎ ↩︎

  • mhague@lemmy.world
    24·
    6 days ago

    Why not couch the article as “a vulnerability was found and patched” instead of “something bad could have happened”?

    “STORE COULD HAVE BEEN ROBBED!! A bystander noticed the door wasn’t locked, with the owner realizing he hadn’t been locking it correctly. There is no evidence anyone broke in.”

    News in the porcelain village in Oz.

    • irotsoma
      10·
      6 days ago

      Because with stores, the evidence would be missing products. Very easy to see. With bugs like this, a million people could have abused it, or one. Either way that data is likely available to all who want it.

      A better comparison is, store posted list of their customer’s addresses on the back door. No clue how many people walked by there much less if anyone copied it down.

      Problem is that knowing the link between a person’s profile and their email now means you know the link between their account and their accounts in many other places. That information could be used to offer the person different prices at stores, attack them for being a minority or activist, to hack their account because their password was leaked from another site that uses that email,or all the other things these cumulative leaks add up to.

    • Zerush@lemmy.mlOP
      5·
      6 days ago

      That isn’t “something bad could have happened”, but “how much has already happened” because of this.