Edgar Cervantes / Android Organization
TL; dr
- Researchers found youtube exploitation that allows the attackers to produce a user’s Google account ID and converted to e-mail address.
- When the defect, Google ID, returning emails, Google combined YouTube with a vibrant chat system on Pixel Recorder.
- Google was awarded the issue of $ 10,633 in a few months after a few months.
YouTube Recently, a tougher advertising blocker has been in the spotlight for users who have a blocker policy and long, uncertain ads. However, the newly emerging security defect has created a larger concern that users expose their email addresses potentially.
As a documentary Brutecat articleYouTube allowed White-Har hackers to open an email address behind any YouTube account. Security researchers connect Brutecat and Nathan, the vulnerabilities of YouTube live chat system and Google Pixel Recorder Google has allowed a user to expose the account email.
How did YouTube work on how it works
The issue was managed by the YouTube user blocked. When someone is blocked, youTube, known as Gaia ID and it is more recognized than the actual email address. Although this person is intended to remain internally, researchers have caused a request to the background of YouTube in a Base64 coded format in a Base64-coded format in a user profile.
This can be removed by interacting with Gaia ID, which tries to remain anonymous, including any YouTube user. With this ID card, researchers looked for a way to turn it into an email address.
This is where the Pixel printer enters the game. The team will share a sound record with a web-based Pixel Recorder application, the system will return the buyer’s email address in response to the buyer’s Gaia ID. This turned the pixel printer effectively into an unplanned email search tool for Google accounts.
At first there was a defect of YouTube: When the aggressive uses a pixel writer to get an email, the target would receive a notification about the target-shared record. However, researchers found a way to reduce the likelihood of this.
The notification email has managed their wishes to create an extremely long title because the record is included – the length of millions of characters. This led to the failure of Google’s email notification system tests, preventing warnings from sending them in these cases.
Google’s response
The use was reported to Google in September. First, the company was classified as a duplicate of a mistake previously followed by a bounty of 3133. However, after demonstrating the exploitation of additional pixel writing, the researchers have reassessed the issue. In December 2024, appreciates the risk of exploitation and increased payments to $ 10.633.
Google recently fixed the exposure to YouTube Gaia ID leak and pixel recorder. The YouTube blocking system has also been updated so that this is no longer synchronization in all Google services.
In an answer Crazy computer In connection with the mistake, Google said there was no evidence that the weaknesses were actively operated before patch.
Source link
