A critical vulnerability in YouTube’s infrastructure allowed attackers to expose the email addresses tied to anonymous channels by combining flaws in Google’s account management system and an outdated Pixel Recorder API.
The exploit chain, discovered by security researchers Brutecat and Nathan, leveraged YouTube’s internal user-blocking feature and a misconfigured cloud service to bypass privacy protections, posing significant risks to activists, whistleblowers, and pseudonymous creators.
The attack began by exploiting YouTube’s live chat moderation system. Researchers found that simply opening the context menu (via the three-dot button) on a user’s live chat message triggered an API request (/youtubei/v1/live_chat/get_item_context_menu).
This request returned a base64-encoded parameter containing the target’s obfuscated Gaia ID a unique Google account identifier meant for internal use.
By modifying the API parameters, attackers could extract Gaia IDs from any YouTube channel, including those with no live activity. For example, a test on an auto-generated Topic channel revealed the Gaia ID 103261974221829892167.
While Gaia IDs are not inherently sensitive, they become problematic when paired with other vulnerabilities. The researchers found that Google’s Pixel Recorder API could convert these IDs into email addresses.
By sharing a recording through Pixel Recorder and inputting the leaked Gaia ID, the system returned the associated email address, effectively unmasking the user’s identity, researchers said.
To avoid detection by victims, the researchers discovered a way to suppress notification emails sent during this process. By manipulating the recording title to exceed millions of characters, they caused the notification system to fail silently.
This vulnerability posed a severe privacy risk for millions of YouTube users. Content creators who wished to remain anonymous were particularly vulnerable, as their email addresses could be exposed without their consent. This could lead to targeted harassment, phishing attacks, or other malicious activities.
The exploit also highlighted broader concerns about Google’s data management practices. Gaia IDs are used across multiple Google services, meaning similar vulnerabilities could potentially affect other platforms like Google Maps or Play Store.
“Gaia IDs are leaked across several Google products apart from just YouTube…causing a significant privacy risk for all Google users,” Brutecat told reporters.
Google’s Response
The researchers disclosed the issue to Google on September 24, 2024. Initially, Google classified it as a duplicate of a previously reported bug and awarded a modest $3,133 bounty.
However, after further clarification regarding the Pixel Recorder component, Google increased the reward to $10,633 and took steps to address both vulnerabilities.
Google confirmed that it had mitigated the issue by patching both YouTube’s API and Pixel Recorder’s sharing mechanism. Additionally, blocking users on YouTube now only affects interactions within that platform and does not expose Gaia IDs across other services.
In a statement, Google assured users that there was no evidence of active exploitation of these flaws before they were fixed on February 9, 2025.
This incident underscores the importance of rigorous security testing across interconnected systems. While individual APIs may seem secure in isolation, their integration with other services can create unforeseen vulnerabilities.
For users, this serves as a reminder to remain vigilant about online privacy. Experts recommend enabling two-factor authentication (2FA) and regularly reviewing account permissions to minimize risks.
As for tech giants like Google, this case highlights the need for proactive measures in safeguarding user data and addressing potential abuse vectors before they can be exploited.
