- A researcher has discovered a worrying YouTube security vulnerability
- The defect allowed strangers to access all the emails of the YouTube account
- This has been paved since then, so users must be updated as soon as possible.
Experts have warned that any email from a YouTube account could be removed from Google with a ‘relatively simple exploit’
A researcher who passes through Brutecat managed to take advantage of several vulnerabilities in Google products to access the email address of any YouTube user, reports Cybernews.
Google has now paved the defect, but this represents a serious risk for user privacy and could endanger phishing attacks. A billion YouTube hours are observed daily, with almost 2.5 billion users and 51 million channels, so privacy is important, this is what we know.
Rewards hunters
The vulnerabilities were discovered because the researcher was “digging through the internal API of the people (staging)” and noticed “something interesting.” They discovered that by blocking if it blocks someone on YouTube, you can filter your Google account identifier.
To continue, the researcher discovered that by clicking on the three -point context menu, Gaia ID was included in the server response, so there was no need to block the channel, which means that this could intensify each YouTube account, the four billion of them.
Then, when looking for old Google products, they discovered that the Pixel recorder contained an error that would allow them to convert Gaia ID exposed to an email address. At first, when they did this, the victim would receive an email notification, which reduces the impact of vulnerability quite significantly. However, they discovered a job;
“It was then that we realized: if it includes our recording title in the email issue, maybe I could not send an email if our recording title were too long.”
This worked, and when the recording title was extended to 2.5 million cards, “Bingo! Without notification by email”.
For the dissemination of the failure, the researcher received a reward of $ 10,633. There is a long tradition of software service providers who offer errors rewards for security researchers, and Google delivered $ 10 million in rewards in 2023.
The report was sent on September 15, 2024, and in November, the first award of $ 3,133 was granted, with the reason: “The probability of exploitation is medium. The problem called as a methodology related to abuse with high impact.”
For December, another $ 7,500 was granted, this time because “the probability of exploitation is high. The theme qualified as a methodology related to high impact abuse”, thanks to an updated report of the product equipment.
The risk for users
Clearly, Google has identified the risk of abuse of this defect, but what is the risk for users? Well, since the login credentials, passwords or other personal identification information are not part of this attack, which simply leaves social engineering attacks by email.
We say ‘fair’, but Phishing attacks are a serious concern, and millions of victims claim each year, and can lead to much more serious crimes such as identity theft or fraud.
If a cybercriminal sends an email, there are large red flags that can take into account. The first of all is your email address: if it is G00GLE or M1Crrosoft instead of its legitimate addresses, do not open it. Or, if you receive a completely unexpected email from a ‘friend’ of an account that does not recognize, especially one that urges the action (that is, you ask you to click a link, send money, buy a gift card, etc.) – Then be very, very suspicious.
If you automatically suspect the emails you receive, you will be in a better position.
To be sure, you must create strong and safe passwords for each account, and be sure to change them with the greatest frequency you can remember.
The last thing you should look for are the attachments, if the account that sent the account is unknown and the email contains images, links or documents, this is suspicious. QR codes can be malicious, so not scan anything that is not safe is safe.
