Andisearch Writeup

A security researcher known as Brutecat discovered a vulnerability that could expose the email addresses of YouTube’s 2.7 billion users by exploiting two separate Google services^[1][2]. The attack chain involved extracting Google Account identifiers (GaiaIDs) from YouTube’s block feature, then using Google’s Pixel Recorder app to convert these IDs into email addresses^[1:1].

To prevent notification emails from alerting victims, Brutecat created recordings with 2.5 million character titles that broke the email notification system^[1:2]. The exploit worked by intercepting server requests when clicking the three-dot menu in YouTube live chats, revealing users’ GaiaIDs without actually blocking them^[2:1].

Brutecat reported the vulnerability to Google on September 15, 2024^[1:3]. Google initially awarded $3,133, then increased the bounty to $10,633 after their product team reviewed the severity^[1:4]. According to Google spokesperson Kimberly Samra, there was no evidence the vulnerability had been exploited by attackers^[2:2].

Google patched both parts of the exploit on February 9, 2025, approximately 147 days after the initial disclosure^[1:5].