YouTube Security Flaw Exposed User Emails

A newly discovered security flaw in YouTube’s live chat system may have exposed user email addresses, raising concerns about privacy and data security. Security researchers Brutecat and Nathan identified the vulnerability, which existed from September 2024 to February 2025, before being patched by Google. The flaw exploited YouTube’s user blocking mechanism, potentially revealing email addresses linked to Google accounts.

The vulnerability stemmed from backend requests containing base64-encoded Gaia IDs, which, when decoded, could reveal associated email addresses. This raised significant concerns, particularly for content creators relying on anonymity. The flaw was discovered despite Google’s increased focus on authentication security, including passkey support and biometric authentication measures.

After being alerted to the issue, Google quickly patched the vulnerability and awarded a $10,633 bug bounty to the researchers. The company confirmed that the flaw has been resolved, preventing further exposure of user email addresses. This aligns with Google’s ongoing security initiatives, such as Identity Check for Android and participation in the FIDO authentication standard alongside Apple and Microsoft.

Security experts noted that the exploit was relatively easy to execute, emphasizing the need for continuous monitoring and security improvements across Google’s platforms. The incident serves as a reminder of the evolving challenges in digital privacy and online security, particularly as cyber threats continue to evolve.