Worrying YouTube security flaw exposed billions of user emails

the YouTube logo on a screen in front of other YouTube logos covering a black background
(Image credit: Shutterstock / JRdes)

  • A researcher has discovered a worrying YouTube security vulnerability
  • The flaw allowed outsiders to gain access to all YouTube account emails
  • This has since been patched, so users should update as soon as possible

Experts have warned that any email from a YouTube account could be pulled from Google with a ‘relatively simple exploit’

A researcher who goes by Brutecat managed to leverage several vulnerabilities across Google products to access the email address of any YouTube user, CyberNews reports.

Google has now patched the flaw, but this does represent a serious risk to the privacy of users, and could put them in danger of phishing attacks. Around 1 billion hours of YouTube is watched daily, with almost 2.5 billion users and 51 million channels - so privacy is important, here’s what we know.

Bounty hunters

The vulnerabilities were discovered because the researcher was "digging through the Internal People API (staging)" and noticed "something interesting". They found that by blocking if you block someone on YouTube, you can leak their Google account identifier.

To continue, the researcher discovered that by clicking the three dot context menu, the GAIA ID was included in the server response, so there was no need to block the channel - meaning this could be escalated to every YouTube account - all four billion of them.

Then, by looking into old Google products, they discovered that the Pixel Recorder contained a bug that would allow them to convert the exposed GAIA ID to an email address. At first, when they did this, the victim would receive an email notification - which lowers the impact of the vulnerability quite significantly. However, they discovered a work around;

“That's when we realized - if it's including our recording title in the email subject, perhaps it wouldn't be able to send an email if our recording title was too long.”

This worked - and when the recording title was lengthened to 2.5 million letters, "bingo! No notification email".

For the disclosure of the flaw, the researcher was awarded a $10,633 bounty. There’s a long standing tradition of software service providers offering bug bounties for security researchers, with Google handing out $10 million in bounties in 2023.

The report was sent on September15 2024 - and in November, the first award of $3,133 was given, with the rationale: "Exploitation likelihood is medium. Issue qualified as an abuse-related methodology with high impact."

By December, a further $7,500 was given, this time because "exploitation likelihood is high. Issue qualified as an abuse-related methodology with high impact" - thanks to an updated report from the product team.

The risk to users

Clearly, Google has identified a risk for the abuse of this flaw - but what is the risk for users? Well, since login credentials, passwords, or other personally identifiable information is not a part of this attack - that just leaves social engineering attacks via email.

We say ‘just’, but phishing attacks are a serious concern, and they claim millions of victims each year - and can lead to much more serious crimes like identity theft or fraud.

If a cybercriminal does email you, there are big red flags you can look out for. The first of all, is their email address - if it's G00gle or M1crosoft instead of their legitimate addresses, don’t open it. Or, if you get a completely unexpected email from a ‘friend’ from an account you don’t recognize - especially one that urges action (i.e. asks you to click a link, send over money, buy a gift card, etc) - then be very very suspicious.

If you’re automatically suspicious of the emails you receive, you’ll be in a better position.

To be safe, you should create strong and secure passwords for each account - and make sure to change them as often as you can remember to.

The final thing to look for is attachments - if the account who sent the account is unknown and the email contains images, links, or documents - this is suspicious. QR codes can be malicious, so don’t scan anything you’re not certain is safe.

You might also like

TOPICS
Ellen Jennings-Trace
Staff Writer

Ellen has been writing for almost four years, with a focus on post-COVID policy whilst studying for BA Politics and International Relations at the University of Cardiff, followed by an MA in Political Communication. Before joining TechRadar Pro as a Junior Writer, she worked for Future Publishing’s MVC content team, working with merchants and retailers to upload content.

You must confirm your public display name before commenting

Please logout and then login again, you will then be prompted to enter your display name.