- A researcher discovered a disturbing YouTube security vulnerability
- The defect allowed foreigners to access all emails from the YouTube account
- This has since been corrected, users must therefore be updated as soon as possible
Experts have warned that any e-mail of a YouTube account could be removed from Google with a “relatively simple feat”
A researcher who passes by Brutecat managed to take advantage of several vulnerabilities on Google Products to access the email address of any user of YouTube, reports Cybernews.
Google has now corrected the fault, but this represents a serious risk for user privacy and could endanger them with phishing attacks. About 1 billion hours of YouTube are monitored daily, with nearly 2.5 billion users and 51 million channels – so confidentiality is important, here is what we know.
Premium hunters
The vulnerabilities were discovered because the researcher “dug through the API of internal people (staged)” and noticed “something interesting”. They found that blocking if you block someone on YouTube, you can flee their Google account identifier.
To continue, the researcher discovered that by clicking on the context menu of the three points, the ID Gaia was included in the server’s response, so it was not necessary to block the chain – which means that it might be Degenerate at each YouTube account – the four billion of them.
Then, by examining the old Google products, they discovered that the Pixel recorder contained a bug which would allow them to convert the Gaia ID on an e-mail address. At first, when they did, the victim would receive an e -mail notification – which considerably reduces the impact of vulnerability. However, they discovered work around;
“It is at this point that we achieved-if it includes our registration title in the material by email, it might not be able to send an email if our title of registration was too long. “
This worked – and when the registration title was extended to 2.5 million letters, “Bingo! No notification email”.
For the disclosure of the fault, the researcher received a bonus of $ 10,633. There is a long -standing tradition of software service providers offering BUG bonuses for security researchers, Google putting $ 10 million in bonuses in 2023.
The report was sent on September 15, 2024 – and in November, the first compensation of $ 3,133 was granted, with the justification: “The probability of operating is average. Qualified problem as a methodology linked to the abuse with an impact pupil.”
In December, an additional $ 7,500 was given, this time because “the probability of exploitation is high. The problem is qualified as methodology linked to abuse with a high impact” – thanks to a report updated from ‘Product team.
The risk for users
Obviously, Google identified a risk of abuse of this flaw – but what is the risk for users? Well, since identification information, passwords or other personally identifiable information is not part of this attack – which leaves only social engineering attacks by e -mail.
We say “fair”, but phishing attacks are a serious concern, and they claim millions of victims each year – and can lead to much more serious crimes such as identity theft or fraud.
If a cybercriminated send you an email, you can search for large red flags. The first is their email address – if it is G00GLE or M1CROSOFT instead of their legitimate addresses, do not open it. Or, if you receive a completely unexpected email from a “ friend ” from an account that you do not recognize-in particular the one asking for the action (that is to say asks you to Click on a link, send money, buy a gift card, etc.) – then be very very suspect.
If you automatically beware of the emails you receive, you will be in a better position.
To be safe, you need to create strong and secure passwords for each account – and make sure you change them as often as you remember.
The last thing to search is the attachments – if the account that has sent the account is unknown and the e -mail contains images, links or documents – is suspicious. QR codes can be malicious, so don’t scan nothing that you are not sure you are sure.
