Cybersecurity experts uncovered a concerning security vulnerability in YouTube and Google

Google recently patched a serious security flaw that could have exposed the email addresses of YouTube users, raising major privacy concerns. The issue, discovered by cybersecurity researchers Brutecat and Nathan, was reported by BleepingComputer.

The Flaw

This vulnerability was especially alarming for YouTubers who rely on anonymity, such as whistleblowers, investigators, and activists. If their email addresses were exposed, it could have put their safety at risk.

The flaw was linked to a unique internal identifier called a Gaia ID, which Google uses across its platforms (like Gmail and Google Drive). Brutecat found that blocking a user on YouTube revealed this identifier. They then discovered that accessing the block function in a YouTube live chat triggered an API request, exposing the Gaia ID.

Realizing the security risk, the researchers teamed up to see if they could turn a Gaia ID into an email address. By exploiting an old Google product—Google Recorder for Pixel devices—they found a loophole. They attempted to share a recording while blocking email notifications by renaming the file with an extremely long name. This broke the system, allowing them to send a file-sharing request that converted the Gaia ID into an email address.

Reward

Thankfully, thanks to Brutecat and Nathan’s efforts, Google was able to fix the issue before hackers could take advantage of it. The flaw was reported in September 2024 and officially patched on February 9, 2025. While that’s a long window for potential exposure, Google confirmed that there were no signs of the vulnerability being exploited.