For at least four months and possibly much longer, YouTube was vulnerable to a sneaky exploit that could’ve leaked the email address of any of its users — all 2.7 billion of them.
The attack vector, uncovered by security researchers going by the aliases Brutecat and Nathan, combined two separate design shortcomings in Google APIs in order to get to its final target: acquiring an email address.
Before you panic: The researchers disclosed the security hole last September. Google has since patched it and issued a $10,000 reward to Brutecat and Nathan.
But here’s why the discovery is a big deal.
How The YouTube Exploit Works
A leaked email might seem like a minor incursion, but chained with additional attack vectors could ultimately have larger repercussions. It also puts users’ anonymity at risk.
At the core of the security hazard is a Google account management mechanism dubbed GaiaID — a Google Accounts and ID Administration (GAIA) number linked to individual users.
“The GaiaID leak likely lasted for years now,” at least ever since Google “implemented the block feature on YouTube live chat,” Brutecat tells me. “Not long ago, these were even leaked from the YouTube comments API response for use with the profile card feature.”
Brutecat adds it’s “definitely possible that people scraped these GaiaIDs from comments,” but questions whether they would’ve successfully linked them to email addresses. More concerningly, the researcher notes that other Google products like GPay, Play and Maps also leaked GaiaIDs.
“I hope Google would eventually fix this as well,” Brutecat tells me, adding it’s possible there might be similar GaiaID-to-email attack vectors in the wild to be exploited in these products.
(Google wasn’t immediately available for comment, but I’ve reached out and will update this piece accordingly if I hear back.)
Back to the exploit. Leveraging a GaiaID to unveil an email address required another move. For that, Brutecat and Nathan used the Pixel Recorder app in order to email a potential victim.
At first, the researchers noticed that sending a recording to an email would also come with a notification, which would’ve alerted a user that something malicious is taking place. But by making the recording title length 2.5 million characters long they were able to send an email without alerting a user with a notification.
The security wizzes have since posted a proof-of-concept video, which you can check out below:
Just How Big Is The Scale Of The YouTube Exploit?
Just how big of a danger is the GaiaID exploit? Well, the issue is that Google relies on this mechanism across its suite of products. For reference, YouTube has 2.7 billion users. Maps had surpassed 10 billion installs on Android by 2021.
Factoring this in, unpatched GaiaID leaks — whether in YouTube or other products —could put billions of users at risk. The good thing is that Google has already plugged one of these holes — better hurry up and take care of the rest soon.
