Google Patches Vulnerabilities That Could Expose YouTube Users’ Email Addresses

Google recently patched a couple of vulnerabilities that, if exploited, could have allowed threat actors to expose YouTube users’ email addresses.

Researchers discover flaws impacting YouTube user privacy

A couple of vulnerabilities in YouTube-related APIs (Application Programming Interfaces) that could expose user emails were recently identified by security researchers BruteCat and Nathan.

They found that by combining data from the YouTube and Pixel Recorder APIs, they could obtain users' Google Gaia IDs, and subsequently convert them into their email addresses.

The implications are quite significant, seeing as numerous YouTube users, such as activists, whistleblowers and content creators, prefer to remain anonymous on the video platform.

YouTube block feature found leaking valuable user Gaia IDs

The exploit was part of a broader attack chain. After analyzing Google’s Internal People API, researcher BruteCat discovered that one of its certain “blocking” features used obfuscated Gaia IDs and display names.

Google services use Gaia IDs across its entire portfolio of platforms, including Gmail, YouTube, and Google Drive. However, since their purpose is exclusively internal, Gaia IDs should remain private.

While analyzing the Block feature, BruteCat discovered that YouTube exposes a user’s obfuscated Gaia ID when attempting to block them in a live chat.

Converting Gaia IDs into email addresses

After managing to trick YouTube’s API into extracting Gaia IDs, the researchers worked their way to convert them into email addresses.

Considering that modern APIs are designed to prevent such operations, BruteCat and Nathan shifted their focus to older, deprecated APIs. Their poking and prodding found a web-based API in Pixel Recorder that could be used to convert Gaia IDs into email addresses when sharing recordings.

However, sharing a recording also notified the impacted user, so researchers devised a method to avoid detection by using huge numbers of characters in the title field and causing a fault in the notification system.

Company response and mitigation

Although researchers shared their findings with Google on Sept. 24, Google only patched the vulnerabilities on Feb. 9.

As BleepingComputer reported, Nathan and BruteCat said Google’s mitigation included patching the Gaia ID leak in the YouTube API’s block function, as well as the Gaia ID conversion flaw in the Pixel Recorder API.

The company also modified blocking rules, so that restricting a user on YouTube only impacts users on YouTube and doesn’t extend to other platforms in their network of services.