Google has fixed two vulnerabilities that, when chained together, could expose the email addresses of YouTube accounts, causing a massive privacy breach for those using the site anonymously.
The flaws were discovered by security researchers Brutecat (brutecat.com) and Nathan (schizo.org), who found that YouTube and Pixel Recorder APIs could be used to obtain user’s Google Gaia IDs and convert them into their email addresses.
The ability to convert a YouTube channel into an owner’s email address is a significant privacy risk to content creators, whistleblowers, and activists relying on being anonymous online.
Time to go back to the good ‘backfiring’ mail addresses, like we used in the 90’s:
Youtube.sold.this.address@myomain.xy
Where’s the link to that exploit? At least point us to it.
https://feddit.org/post/7894572 earliest post I could find. It’s a clever exploit, but it was patched 3 days ago.
