Dangerous YouTube vulnerability discovered: how researchers saved millions of email addresses
By ForGeeks A team of cybersecurity experts from Brutecat and Nathan has identified a critical vulnerability in YouTube that jeopardized the privacy of millions of users. The bug allowed attackers to access email addresses associated with the platform’s accounts. This was especially dangerous for anonymous contributors – journalists, activists and bloggers who hide their identities for security.
How could attackers get the data?”
.
It all started with a non-obvious detail: when a user was blocked in a YouTube live chat, the system automatically generated an API request that returned Google’s internal identifier, the Gaia ID. This unique code, like a fingerprint, links all of the account’s services: Gmail, Drive, Photos, and others. Initially, it seemed that Gaia ID was useless without access to Google’s internal systems. However, Brutecat and Nathan have proven otherwise.
Brutecat and Nathan have proven that Gaia ID is useless without access to Google’s internal systems.
Using old Google services, such as the Recorder app for Pixel smartphones, the researchers were able to convert Gaia ID into an email. To make sure the victim didn’t notice the trick, they used a clever trick: renaming the file into a 2.5 million-character-long name record. This “overload” broke the notification system, and the user was not notified of the suspicious activity.
Google’s response and timeline of events
.
The bug was reported to the company in September 2024, but the fix wasn’t released until February 9, 2025. That timeline raised questions, but Google explained: the vulnerability required deep changes to the services architecture, and no traces of its exploitation by hackers were found. The researchers received $10,633 as part of a bounty program, a standard practice for White Hat hackers to help improve security.
What was the threat of the Gaia ID leak?”
.
The disclosure of Google’s internal ID opened the door to a whole range of attacks:
- Deanonymization: Tying an anonymous YouTube account to a real email.
- Targeted phishing: Personalized emails with fake links.
- Chain attacks: Hacking into other services via access restoration.
How do I protect myself after an incident?”
Google recommends updating all account-related apps and activating two-factor authentication. Users should check their account login history and revoke access from unfamiliar devices. For anonymous profiles, it’s critical to use separate emails that aren’t associated with personal information.
Google recommends updating all apps associated with an account and activating two-factor authentication.
Even the ecosystem of a giant like Google can hide dangerous holes. But this case isn’t a reason to panic, it’s a reminder that digital security is built on collaboration. Thanks to responsible bug-hunting by researchers, disaster was avoided. But every user should remember: privacy starts small – paying attention to settings, updates, and suspicious activity. In a world where data has become currency, vigilance is the best antivirus.
And in a world where data has become currency, vigilance is the best antivirus.
The Dangerous YouTube vulnerability discovered: How researchers saved millions of email addresses was first published on ITZine.ru.
