Critical Google Vulnerability Could Have Exposed YouTube Channel Email Addresses

• An attack chain on Google services could have leaked the email address associated with any YouTube channel.
• A product flaw in Google’s Pixel Recorder permitted resolving a Gaia ID to an email.
• Together with user IDs exposed via the YouTube blocking feature, it made any YouTube channel address available.

A pair of linked vulnerabilities within Google’s systems allowed the revealing of the email addresses of YouTube channels via exposed Gaia IDs and the audio recording app for Google Pixel devices. The flaws are now resolved.

While investigating Google's People API, a security researcher operating under the pseudonym Brutecat identified a function that facilitates blocking YouTube users. 

This function utilizes an obfuscated identifier, the Gaia ID, which is part of Google’s central identity management system across its services. 

Since blocking a YouTube user also blocks them on other Google services, the researcher speculated that the Gaia ID could potentially be linked to an email address through an overlooked or obsolete Google service.

"In the past, there have been several bugs to resolve these to an email address, so I was confident there was still a Gaia ID to Email in some old obscure Google product," Brutecat explained. 

This hypothesis led to the discovery of such a vulnerability in the web version of Pixel Recorder, an audio recording app designed for Google Pixel devices. 

Through the recording-sharing function, the researcher identified that when a recording is shared to a Gaia ID, the recipient’s email address could be exposed by reviewing the web request. Typically, this action triggers a notification to the recipient, alerting them of the file share. 

However, Brutecat circumvented this by employing a Python script to generate an exceptionally long file name—approximately 2.5 million characters—which caused the notification mechanism to fail while still leaking the email address.

The researcher submitted the findings to Google as part of its bug bounty program. Upon further evaluation and consideration of the vulnerability's potential for exploitation, Google reclassified the severity of the issue and raised the reward, bringing the total bounty to $10,633.

Last month, a HackerOne member found a U.S. Department of Defense public Google Drive link that exposed military orders containing Personal Identifiable Information (PII) and operational details.