Two researchers have discovered a pair of vulnerabilities on YouTube. The flaws are located in the YouTube APIs and Pixel Recorder, the software interfaces that allow developers to interact with Google services. Combined in a chain of attacks, the breaches are likely to seriously endanger the privacy of Internet users.
By exploiting the first flaw, an attacker will be able to get their hands on the user's Google Gaia ID. This is the identity management system used by Google to authenticate its users on its various services, including YouTube, Gmail and Google Drive. It is not supposed to be public, but is limited to Google's internal services.
A flaw in YouTube blocking
To obtain this identifier, the researchers used the blocking function on YouTube, which allows you to block a user in a live chat. When a user is blocked, the feature sends a response to the user who initiated the action. This technical response contains the Gaia identifier of the blocked person. The data is obfuscated, i.e. well hidden, but the researchers were able to identify the information by decoding base64-encoded data.
Once the identifier was obtained, the researchers set out to find a solution to convert it into an email address. One of the experts discovered a vulnerability in Pixel Recorder, a feature of Google's Pixel smartphones that allows you to record videos and sounds. Using a flaw in the feature's Web API, the duo were able to convert the identifier into an email address. The vulnerability is in the sharing option.
Little by little, the researchers were able to detect the email address linked to a Google account using a username on YouTube. The combination of these two flaws endangers the anonymity of creators who publish videos on the platform and ordinary Internet users. An email address can indeed be used to trace a person's identity in certain cases.
Alerted by the researchers, Google has just corrected the two breaches. The Mountain View giant has resolved the problems linked to the Gaia identifier leak. Additionally, the blocking of a user on YouTube was limited to that platform, without affecting other Google services. There is no sign that either flaw was exploited by hackers.
Source: Bleeping Computer
0 Comments