Credit: Edgar Cervantes / Android Authority
- Researchers discovered a YouTube exploit that allowed attackers to extract a user’s Google account ID and convert it into their email address.
- The flaw combined YouTube’s live chat system with a loophole in Google Pixel Recorder, which returned emails when given a Google ID.
- Google patched the issue after a few months and awarded the researchers a $10,633 bug bounty.
YouTube has recently been in the spotlight for frustrating users with stricter ad blocker policies and long, unskippable ads. However, a newly revealed security flaw posed an even bigger concern, potentially exposing users’ email addresses.
As documented in a Brutecat article, YouTube allowed white-har hackers to uncover the email address behind any YouTube account. Security researchers Brutecat and Nathan found that combining vulnerabilities in YouTube’s live chat system and Google Pixel Recorder made it possible to expose a user’s Google account email.