We often cover exploits found by bad actors, but sometimes well-meaning people locate issues with a company’s service to help it secure itself. Such is the case of one researcher who found a YouTube exploit that would have leaked everyone’s emails.

YouTube Dodges an Exploit That Would Have Exposed Billions of Emails

As the security researcherBruteCat described in their report, the exploit occurred when someone was blocked on YouTube. The service lists all blocked users on a single page, and when BruteCat visited the page and looked at the source, it would display the unique Google Account identifier for everyone they blocked.

They then discovered that if they intercepted a server request that fired when they clicked on the three-dot menu beside someone in a live chat, it would show the ID as part of the response. That way, they could harvest people’s account IDs without blocking them.

So BruteCat could grab anyone’s ID, but there wasn’t anything they could do with that to leak any personal information. They began toying with other Google products to see if they could feed the ID into the system and get something identifiable and noticed that if they used Pixel Recorder to send a request to share a sound file to a user via their ID, the server would send back the email attached to the email.

This meant they could harvest anyone’s email address from their ID but sharing a file with the user sent an email to them. To fix this, they set the recording name to be 2.5 million letters long, far too many letters to fit into an email.

Sure enough, they still got the email when they shared the sound file, but no notification was sent. They then made a Python script that automated everything; when it was fed an ID, it returned an address.

If this fell into the wrong hands, scammers would have a field day harvesting the emails of users, content creators, and anyone else on YouTube. However, because BruteCat is an ethical hacker, they instead detailed the issue to Google, who fixed the problem and gave BruteCat $10,000.

If you, too, would like to get paid for cracking open a company’s security, there areethical hacking courses for beginnersto check out, and you can alsoread up on the Certified Ethical Hacker (CEH) certification. Just don’t go around attacking companies without their permission; that’s where the line between ethical hacking and criminal hacking lies.