Did you know Security Flaw in YouTube’s API May Have Exposed Email IDs of Millions

 

For nearly four months and more, YouTube was found to be vulnerable to sneaky exploits that may have leaked the email IDs of many users, 2.7 billion of them.

The latest attack vector on the popular app was unraveled by security experts going by the alias Brutecat and Nathan. It combined with two separate design shortcomings inside Google APIs to reach victims which is getting a hold of their email IDs.

Before you begin panicking, the researchers disclosed the major security loophole in September of 2024. Google has since rolled it out and issued a major $10,000 reward to Brutecat and Nathan. So the question is why the whole issue is a major deal in the first place.

A leaked email might appear like something very minor right now. However, when you attach more attack vectors, it can give rise to poor consequences. It even puts a lot of people at risk. The core of this security risk is Google account management mechanisms linked to separate users.

The GaiaID leak is said to last for a few years now. This is since Google rolled out the Block Feature on the app’s live chat. These were said to be leaked from the app’s comments API replies for usage featuring profile cards.

Brutecat says it’s very much possible that all of these people scraped the GaiaIDs from the comments section but queries about if it would be linked successfully to email IDs remains questionable.

The researcher added how Google’s other products such as Play, Maps, and GPay also ended up leaking the GaiaIDs. Many hope Google will fix the shortcomings as it could give rise to similar attacks in the future. So far, this vulnerability hasn’t been abused by attackers.

Coming back to this particular exploit, the spokesperson mentioned how the vulnerability hasn’t been abused by attackers so far. Also, it was shared how the leveraging of GaiaID was done through the Pixel Recorder platform to mail potential targets

At the start, researchers shared how sending recordings of emails would come with alerts that would make users aware that something was not quite right. By making the recording title length 2.5 million characters, they could roll out emails without adding alerts to users with notifications.

Now the question is how big this exploit was to begin with. Now the issue is that Google relies upon this technique for a host of suite products. For reference, the app has 2.7 billion users. All maps were surpassing the 10 billion installs figure on Android by the year 2021.

Cybersecurity experts mentioned that unpatched GaiaID leaks either through YouTube or any of its other products might put billions of individuals at serious risk. The great thing is that the Android maker has managed to plug one of the holes. Now they just need to fix the rest of the loopholes to ensure users remain safe.