The research team of Brutecat and Nathan found a severe API vulnerability in YouTube and Pixel Recorder APIs which revealed customer email addresses causing a major privacy breach per Bleeping Computer's findings.
The vulnerability has been remedied by Google according to their confirmation since attackers now cannot obtain Google Gaia IDs to reveal user email addresses.
The privacy exposure of YouTube users reaches its critical point when someone possesses their designated email address because it unveils their identity even to individuals wanting to remain unidentified on the web.
How does the exploit work?
Protectcat found the first part of the attack that had remained accessible for one month and learned that blocking users on YouTube exposes a unique identifier named Gaia ID used by Google in all platforms including Gmail Drive and others. Each user maintains their own distinct Gaia ID.
When users click the three dots to reach the block button in their chat file Protectcat noted API requests expose their Gaia ID.
The security issue is severe because this basic method reveals YouTube's internal account identifiers making them vulnerable to external exposure after Protectcat extracted Gaia IDs from users. Hence the team proceeded to uncover the associated email addresses to each ID.
Nathan assisted the researchers in attempting this conversion using previous Google products which showed weak points in GaiaID to email conversions.
Researchers tested Google Pixel Recorder by encrypting a Gaia ID in a recording followed by renaming the file to a 2.5 million character name which prevented the alert system from working because of its extreme length.
The researchers constructed a file-sharing request for GaiaID to gather the email address because the hypothetical victim was not notified.
The security research team of Protcat and Nathan discovered the flaw which enabled Google to maintain YouTube account email privacy by fixing the breach.
Google solved the discovered vulnerability last September after February 9 while confirming no evidence of successful exploitation.