Google has fixed two vulnerabilities in YouTube’s infrastructure. These vulnerabilities allowed attackers to expose email addresses linked to anonymous channels. The root cause was an outdated version of the Pixel Recorder API and vulnerabilities in Google’s account management system.
For many YouTube users, including activists, whistleblowers, and content producers who cherish their anonymity, this information has substantial consequences.
The possibility for exploitation of the YouTube and Pixel Recorder APIs was found by security researchers Brutecat and Nathan. They found that these techniques could extract Google Gaia IDs and convert them to email addresses.
The hack also used YouTube’s internal user-blocking function and a misconfigured cloud service to bypass privacy protections.
Google uses a Gaia ID, a unique internal identification, to manage accounts throughout its network. When you sign up for a Google Account, the same ID is assigned to Gmail, YouTube, Google Drive, and other services. However, this identity is only for internal use and will not be made public.
From Gaia ID to Email: The YouTube Flaw That Google Fixed
YouTube unintentionally reveals a user’s obfuscated Gaia ID, as BruteCat found out when testing the blocking feature. When trying to ban someone in a live chat, base64 encoded data was included in the API response from /youtube/v1/live_chat/get_item_context_menu. This information, once decoded, gave the Gaia ID of the target user.
Researchers observed that selecting the three-dot menu in a conversation caused a background call to YouTube’s API. This single move allowed access to an ID without any further security precautions.
Researchers were able to get the Gaia ID of any YouTube channel, including those attempting to remain anonymous, by altering the API request. After acquiring the Gaia ID, the researchers looked for a way to turn it into an email address. This conversion would have increased the flaw’s severity.
Unfortunately, prior APIs capable of doing this action have been deprecated or no longer work. As a result, BruteCat and Nathan focused their efforts on outdated Google services that may still be exploited.
Nathan found that Pixel Recorder has a web-based API after some investigation. This API can convert a Gaia ID into an email address when sharing a recording. By adjusting the API settings, attackers could theoretically collect Gaia IDs from any YouTube channel, even ones with no live activity.
After obtaining their Gaia ID, YouTube users may use it to access the Pixel Recorder sharing function. The identities of millions of people could have been compromised as a result of this functionality, which then returned the relevant email address.
The researchers found a way to obtain an email address from a Gaia ID, but the service also notified users when someone shared a file. This notification could have alerted them to the malicious activity.
To bypass this, the researchers modified their requests to generate a title millions of characters long as the title of the video was displayed in the notification email. Consequently, Google’s email notification system failed during testing, preventing notifications from being sent.
The flaw was disclosed to Google on 24 September 2024, and the issue was fixed on 9 February 2025. Initially, Google classified the vulnerability as a duplicate of a previously identified bug and offered a $3,133 reward.
However, after the researchers demonstrated the additional Pixel Recorder component, Google recognised the significant risk of misuse and increased the reward to $10,633.
BruteCat and Nathan confirmed that Google had fixed both the Gaia ID leak and the Gaia ID-to-email vulnerability in Pixel Recorder. Additionally, Google ensured that blocking a user on YouTube would now only affect that platform, leaving other services unaffected.
Although Gaia IDs are not inherently sensitive, they can pose a risk when combined with other vulnerabilities. The researchers demonstrated that Google’s Pixel Recorder API could convert these IDs into email addresses, thereby exposing users to potential threats.
Clearly, Google has recognised the risk associated with this flaw. The primary issue, meanwhile, continues to be social engineering attacks via email because the attack does not include login credentials, passwords, or other personal information. Phishing remains a major threat claiming millions of victims each year and potentially leading to severe crimes like identity theft or fraud.
The sender’s address should always be checked while analysing suspicious emails. Avoid opening it if it displays “G00gle” or “M1crosoft” in place of the correct addresses. Similarly, be cautious of unexpected emails from contacts that urge you to click a link, send money, or purchase gift cards.
At Phishing Tackle, we know all too well that security technology is often left incorrectly configured, demonstrated by our free Domain Spoofing Test which currently gets past around 50% of users security systems.
Security Awareness Training remains one of the most cost-effective methods of boosting cyber-security within your business. Have a look at our free Click-Prone® Test to find out how many of your staff are susceptible to a phishing attack and learn how you can reduce this number today.
