There were no truly private accounts on YouTube until recently. Security researchers demonstrated that any email behind an account could be pulled from Google using a relatively simple exploit. Google has patched the flaw and awarded researchers a $10,633 bounty.
Security researcher Brutecat, who runs a blog called brutecat.com, managed to chain several flaws across Google products to obtain the email address of any YouTube user.
First, the researcher noticed that YouTube was exposing GAIA ID, which is a unique identifier for tracking user accounts across Google services. Simply by attempting to block a YouTube user, Brutecat could obtain the channel name and an obfuscated GAIA ID in the server response.
Moreover, the GAIA ID was included in the server response when a user simply clicked the three-dot menu, without any need to actually block the targeted channel. This could be escalated to all four billion YouTube channels.
“This was super strange to me because YouTube should never leak the underlying Google account of a YouTube channel,” BruteCat writes in a blog post.
The second phase was to convert the exposed GAIA IDs to email addresses. With the help of another security researcher Nathan (schizo.org), Brutecat started investigating old Google products that might contain additional flaws.
They discovered that Pixel Recorder’s endpoint returned the user's email address when requested to share a recording.
“This endpoint was taking in the obfuscated Gaia ID and... returning the email,” the researcher noted.
Google notified a victim each time researchers attempted this method by sending an email. However, researchers again found a clever and simple workaround.
“We realized – if it's including our recording title in the email subject, perhaps it wouldn't be able to send an email if our recording title was too long.”
They set the recording title to 2.5 million ‘X’ letters and Google’s service stopped alerting users.
Chaining these three flaws enabled the researchers to obtain any YouTube user’s email address without them noticing.
BruteCat responsibly disclosed the flaw to Google on September 15th, 2024, and soon got a clarification for part of the problem. Google’s panel marked it as a duplicate of the existing bug and only awarded $3,133, due to medium exploitation likelihood.
After some back-and-forth communication, Google recognized the other bug affecting Pixel Recorder and awarded an additional $7,500.
This disclosure was one of the most debated Hacker News (YCombinator) topics on Wednesday, with some users speculating that Google “underpaid’ the researchers for finding the flaws.
Your email address will not be published. Required fields are markedmarked