Andisearch Writeup
A security researcher known as Brutecat discovered a vulnerability that could expose the email addresses of YouTube’s 2.7 billion users by exploiting two separate Google services[1][2]. The attack chain involved extracting Google Account identifiers (GaiaIDs) from YouTube’s block feature, then using Google’s Pixel Recorder app to convert these IDs into email addresses[1:1].
To prevent notification emails from alerting victims, Brutecat created recordings with 2.5 million character titles that broke the email notification system[1:2]. The exploit worked by intercepting server requests when clicking the three-dot menu in YouTube live chats, revealing users’ GaiaIDs without actually blocking them[2:1].
Brutecat reported the vulnerability to Google on September 15, 2024[1:3]. Google initially awarded $3,133, then increased the bounty to $10,633 after their product team reviewed the severity[1:4]. According to Google spokesperson Kimberly Samra, there was no evidence the vulnerability had been exploited by attackers[2:2].
Google patched both parts of the exploit on February 9, 2025, approximately 147 days after the initial disclosure[1:5].
Why not couch the article as “a vulnerability was found and patched” instead of “something bad could have happened”?
“STORE COULD HAVE BEEN ROBBED!! A bystander noticed the door wasn’t locked, with the owner realizing he hadn’t been locking it correctly. There is no evidence anyone broke in.”
News in the porcelain village in Oz.