Google Fixes YouTube Vulnerability That Risked Email Exposure for 2.7 Billion Users

The flaw, tied to Google's internal Gaia ID system, was patched after researchers demonstrated how it could be exploited to reveal users' email addresses.

• Security researchers Brutecat and Nathan discovered two vulnerabilities in YouTube and Pixel Recorder APIs that exposed users' Gaia IDs and linked email addresses.
• The exploit allowed attackers to retrieve Gaia IDs from YouTube live chat features and convert them into email addresses using a loophole in the Pixel Recorder app.
• The vulnerability posed significant privacy risks, especially for anonymous users such as activists, whistleblowers, and content creators.
• Google patched the flaw on February 9, 2025, after the researchers disclosed it in September 2024, confirming no evidence of active exploitation during the exposure period.
• The researchers were awarded $10,633 for their findings, which highlighted broader concerns about Gaia ID leaks across multiple Google services.

3 Articles

Mashable Forbes BleepingComputer