Security researchers have uncovered and helped fix two significant vulnerabilities in Google’s systems that could have exposed millions of YouTube users’ email addresses, potentially compromising their anonymity.

The Security Flaws:
– A YouTube API vulnerability exposed users’ Google Gaia IDs (internal identifiers)
– A Pixel Recorder API flaw allowed conversion of Gaia IDs to email addresses

The Discovery Process:
Researchers BruteCat and Nathan found that YouTube’s live chat blocking feature inadvertently revealed users’ Gaia IDs through its API responses. They then discovered that Google’s Pixel Recorder sharing feature could convert these IDs into email addresses, effectively deanonymizing YouTube accounts.

Impact and Risks:
– Potential exposure of anonymous content creators
– Privacy risks for whistleblowers and activists
– Vulnerability extended beyond YouTube to other Google services

Resolution:
– Google implemented fixes on February 9th, 2025
– Bounty awarded: $10,633
– No evidence of active exploitation
– YouTube blocking feature modified to affect only YouTube
– Both Gaia ID leak and email conversion vulnerabilities patched

The vulnerability chain was reported to Google on September 24th, 2024, and has been fully mitigated, with Google confirming no malicious exploitation occurred during the exposure period.