![hands-on:-the-oppo-find-n5-is-the-hardware-pixel-9-pro-fold-wants-to-be-[gallery]](https://betadroid.in/wp-content/uploads/2025/02/6933-hands-on-the-oppo-find-n5-is-the-hardware-pixel-9-pro-fold-wants-to-be-gallery-280x210.jpg){kind=tracking}
How YouTube And Pixel Recorder Accidentally Made It Possible To Expose Your Google Email
Edgar Cervantes / Android Authority
TL;DR
- Researchers discovered a YouTube exploit that allowed attackers to extract a user’s Google account ID and convert it into their email address.
- The flaw combined YouTube’s live chat system with a loophole in Google Pixel Recorder, which returned emails when given a Google ID.
- Google patched the issue after a few months and awarded the researchers a $10,633 bug bounty.
YouTube has recently been in the spotlight for frustrating users with stricter ad blocker policies and long, unskippable ads. However, a newly revealed security flaw posed an even bigger concern, potentially exposing users’ email addresses.
As documented in a Brutecat article, YouTube allowed white-har hackers to uncover the email address behind any YouTube account. Security researchers Brutecat and Nathan found that combining vulnerabilities in YouTube’s live chat system and Google Pixel Recorder made it possible to expose a user’s Google account email.
How the YouTube exploit worked
The issue stemmed from how YouTube handles user blocking. When someone is blocked, YouTube stores their obfuscated Google account ID — known as a Gaia ID — rather than their actual email address. While this ID is meant to remain internal, the researchers found that clicking on a user’s profile in a YouTube live chat triggered a request to YouTube’s backend that contained the Gaia ID in a base64-encoded format.
This meant that any YouTube user, including those trying to stay anonymous, could have their Gaia ID extracted simply by interacting with them in a live chat. With this ID in hand, the researchers sought a way to convert it into an email address.
That’s where Pixel Recorder came into play. The team discovered that when sharing an audio recording via the web-based Pixel Recorder app, the system would return the recipient’s email address in response to the request, provided the sender inputs the recipient’s Gaia ID. This effectively turned Pixel Recorder into an unintended email lookup tool for Google accounts.
Initially, the YouTube exploit had one flaw: whenever an attacker used Pixel Recorder to retrieve a target’s email, the target would receive a notification about the shared recording. However, the researchers found a way to reduce the likelihood of this happening.
Since the notification email included the recording’s title, they manipulated their requests to generate an excessively long title — millions of characters in length. This caused Google’s email notification system to fail in their tests, preventing alerts from being sent in those cases.
Google’s response
The exploit was reported to Google in September. At first, the company only classified it as a duplicate of a previously tracked bug, awarding a $3,133 bounty. However, after the researchers demonstrated the additional Pixel Recorder exploit, Google re-evaluated the issue. In December 2024, it increased the payout to $10,633, acknowledging the high risk of exploitation.
Google recently fixed the YouTube Gaia ID leak and the Pixel Recorder email exposure. YouTube’s blocking system was also updated so that it no longer syncs across all Google services.
In a response to BleepingComputer regarding the bug, Google said that there is no evidence the vulnerabilities were actively exploited before being patched.
Got a tip? Talk to us! Email our staff at [email protected]. You can stay anonymous or get credit for the info, it’s your choice.
