Google, Youtube He corrected a security vulnerability that reveals users’ e-mail addresses. This clear, potentially could lead to a major violation of privacy. This violation of confidentiality was prevented by the efforts of the researchers.
‘Scary’ open on Google and Youtube
According to Mashable, based on a report published by BleepingComputer, the ‘scary’ word security vulnerability was discovered by cyber security researchers Brutecat and Nathan. Google, the owner of Youtube, confirmed that the security vulnerabilities discovered by Brutecat and Nathan have been resolved.
It could have affected all youtube accounts
The confidentiality violation was at a level that could affect all Youtube accounts. As you know, many Youtube users, such as controversial content producers, researchers, informants and activists, keep their identities confidential to protect their security. In particular, the disclosure of e-mail addresses of such users could have serious consequences.
How did the Youtube deficit come about?
Brutecat discovered that blocking a user on YouTube reveals the unique description of Gaia ID, which Google used to describe users on all platforms (Gmail, Google Drive, etc.).
According to the researcher, when a user’s three -point menu in the live chat profile of a user, youtube sends an API request and this request reveals the user’s Gaia ID. Since the unique identities of Youtube accounts should be used only by Google’s internal systems, this is considered a serious vulnerability in itself.
However, when Brutecat succeeded in obtaining these Gaia IDs, he wanted to see if he could reveal his e-mail addresses due to these identities. Together with Nathan, they thought that Google’s old and forgotten products could be some errors or logical flaws and that they could turn Gaia ID into an e-mail address.
To test this, they used Google’s Recorder (Record) app for Pixel devices. Consciously, they shared a registration file hidden with a Gaia ID and examined the e-mail sending mechanism. In order to prevent the user from receiving a notification, they managed to disrupt the system’s e-mail notification mechanism by making the name of 2.5 million characters in length.
Notification to the user is not going
In this way, they allowed a user to release the e-mail address associated with their Gaia ID without any notification.
Google managed to close the vulnerability
Fortunately, there is good news; Thanks to Brutecat and Nathan’s research, Google closed this security vulnerability and prevented all e-mail addresses associated with Youtube accounts from being captured by hackers.
The security vulnerability was reported to Google on September 2024 and completely resolved on 9 February 2025. Google, BleepingComputer’a said in a statement, any attacker actively abuse this gap, there is no sign that there is no sign.
10 thousand dollars for researchers
Researchers were given an award of $ 10,633 in exchange for their labor.