Network security researcher Brutecat discovered two security vulnerabilities in Google's YouTube video website. Although Google promises to protect user privacy, as long as the two vulnerabilities are connected in series, it is possible to directly obtain the real Gmail email address of the creator of the YouTube channel.

With a Gmail email address, you can also impersonate Google or YouTube to phish creators, which will cause more security problems, such as stealing large YouTube channel accounts and publishing phishing websites.

Initially, researchers analyzing Google's People API discovered that a feature that allows blocking YouTube users relied on obscure GaiaIDs, the ID management system for all Google products.

According to the instructions on Google's support page, blocking someone on YouTube will automatically extend to other Google products, which means that when a user performs a blocking operation, it is not the other person's YouTube account that is blocked, but GaiaID.

There have been several errors in parsing GaiaID into email addresses in the past, and researchers believe this vulnerability may still exist in some older and less well-known Google products.

Subsequent verification proved that the researchers were correct. The researchers found a link in the online version of GooglePixelRecorder (the voice recorder that comes with Google Pixel devices). By sharing the recording of the PixelRecorder web version to GaiaID and checking the web request, the target's email address was exposed.

Normally, performing such an operation will trigger a sharing notification to be sent to the target user (such as a recording sharing notification).But the researchers used a Python script to assign an extremely long recording file name (the file name was 2.5 million characters long), this file name causes Google not to send sharing notifications to the target users.

After determining that the vulnerability could be exploited, the researcher reported the vulnerability to Google, which was subsequently confirmed by Google. Google allocated a vulnerability bounty of US$3,133 to the researcher. However, after careful consideration, Google felt that the vulnerability was likely to be exploited, so it reassessed the hazard level and awarded an additional US$7,500, which means that the researcher’s cumulative bounty was US$10,633.

Google has currently fixed this vulnerability. Of course, if it does not fix it, researchers will not disclose the details of the above vulnerability.