Latest Top Posts

google-is-working-on-giving-the-docs-android-app-a-few-web-features-(apk-teardown)

Google Is Working On Giving The Docs Android App A Few Web Features (APK Teardown)

gmail-for-android-update-brings-menu-redesign

Gmail For Android Update Brings Menu Redesign

today

Today

scarlett-johansson-pushes-for-ai-regulations-to-ban-deepfake-videos

Scarlett Johansson Pushes For AI Regulations To Ban Deepfake Videos

ah-real-deal:-the-beats-studio-pro-are-back-down-to-$179.99!

AH Real Deal: The Beats Studio Pro Are Back Down To $179.99!

YouTubers’ Identities Were At Risk For Months Because Of This Flaw

All the latest Android & Tech news Android Apps Cybersecurity YouTube Add Comment 3 Min Read
youtubers’-identities-were-at-risk-for-months-because-of-this-flaw
YouTubers’ Identities Were At Risk For Months Because Of This Flaw

Digital privacy is everything nowadays, and it’s especially true because of hackers and other bad actors. So, the fact that there was a security flaw that put YouTubers’ email addresses at risk should make people worry. Thankfully, the issue has been resolved.

How were YouTubers’ email addresses at risk?

Obtaining the email address wasn’t quite a piece of cake, so we’re not sure that many people (if anyone) were able to hack any accounts. This says a lot, as this vulnerability existed for several months back in 2024.

Gaining access to people’s YouTube account email addresses actually required the use of two flaws in Google’s systems, which makes it more unlikely that anyone would have exploited it. The first one was an issue with Google’s People API.

Google’s network-wide blocking feature required an “obfuscated Google Gaia ID.” A Gaia ID is unique to every Google account. It’s an identifier that’s used across all of the Google products on someone’s account. So, your ID is used in Docs, Gmail, Sheets, Maps, and so on. This also includes YouTube.

The person who found this flaw, Brutecat, found that if you block someone in a YouTube live chat, the platform would expose that person’s Gaia ID. This is pretty bad because it’s possible to extract someone’s email address from that ID. Gaia IDs are not meant to be public, as you could guess. The ID itself doesn’t store the email addresses in plain text. Rather, it has base64 code which needs to be decoded to reveal the email address.

See also  TCL Unveils The Playcube, A Google TV-Powered Projector At CES 2025

Decoding the IDs

Simply finding the Gaia IDs wasn’t enough. This is where another researcher comes in named Nathan. The two couldn’t simply decode the IDs on the spot. They would have needed an API that’s old enough to actually decode them. It needed to be an older one because new APIs don’t have the ability to decode IDs.

The team found that the Pixel Recorder API was just the one to do it. Pixel Recorder has a web-based API, and when the team submitted the IDs to the API’s sharing feature, it decoded the IDs and provided the email addresses.

After getting a report on the issue on September 24 and paying the researchers $10,633, Google patched the bug. This is fortunate, as it could have been disastrous if that bug got out to the public.

Tags: