- A scientist has discovered a worrying YouTube — safety vulnerability
- The error made it possible for outsiders to access all YouTube account -e -emails
- This has since been patched so users need to update as soon as possible
Experts have warned that any E -Mail from a YouTube account could be deducted from Google with a ‘relatively simple exploitation’
A researcher passing by Brirtecat managed to exploit more vulnerabilities across Google products to access the E -Mail address to any YouTube user, Cybergenws reports.
Google has now patched the error, but this represents a serious risk to users’ privacy and could put them at risk of phishing attacks. About 1 billion hours with YouTube are seen daily with almost 2.5 billion users and 51 million channels – so privacy is important, here’s what we know.
Bounty Hunters
The vulnerabilities were discovered because the researcher “digging through the internal API (staging)” and noticed “something interesting”. They found that by blocking if you block someone on YouTube, they can leak their Google account identifier.
To continue, the researcher discovered that the Gaia ID was included in the server response by clicking the three DOT context menu. .
Then they discovered by examining old Google products that the pixel recorder contained an error that would allow them to convert the exposed GAIA IID to an E email address. First, when they did this, the victim would receive an E -mail message -which lowers the effect of vulnerability quite significantly. However, they discovered a work around;
“That’s when we realized -if it includes our recording title IE -Mail item, it might not be able to send an E email if our recording title was too long.”
This worked -and when the recording tittlen was extended to 2.5 million letters, “Bingo! No Message -E -Mail”.
For the unveiling of the error, the researcher was awarded a $ 10,633 bounty. There is a long -lasting tradition of software service providers offering error crews to security researchers, with Google handing out $ 10 million in Bounties by 2023.
The report was sent on September 10, 2024 – and in November the first award of $ 3,133 was given on the grounds: “Exploit probability is medium. The problem qualified as an abuse -related method with great influence.”
In December, an additional $ 7,500 was given this time because “the probability of the exploitation is high. The problem qualified as an abuse -related method with great influence” – thanks to an updated report from the product team.
The risk of users
Google has clearly identified a risk of abuse of this error – but what is the risk of users? Well, as login -credentials, passwords or other personally identifiable information is not part of this attack -which just leaves social technical attacks via E -email.
We say ‘just’, but phishing -attack is a serious problem and they claim millions of victims every year – and can lead to much more serious crimes such as identity theft or fraud.
If a cyber criminal e -mail you, there are big red flags you can look for. The first is their E -Mail address -If it is G00GLE or M1CROSOFT instead of their legitimate addresses, do not open it. Or, if you get a completely unexpected e email from a ‘friend’ from an account you don’t recognize – especially one that calls for action (ie asking you to click on a link, send money, buy a gift card etc .) – Then be very very suspicious.
If you are automatically suspicious of the e emails you receive you will be in a better position.
To be sure, create strong and secure passwords for each account – and make sure you change them as often as you can remember.
The last thing to look for is attached files – if the account that sent the account is unknown and the e -mail contains images, links or documents – is this suspicious. QR codes can be malicious, so not scanning something you’re not sure is safe.
