Google usually keeps Google's related e-mail address secrets to protect users' privacy. However, one security researcher Brutekat said that it is possible to easily extract the G-mail address from the YouTube ID by combining two separate defects on the Google system. And this information was informed by Google as a prize, $ 1,900 or Tk 1 lakh.
While Brotekat was examining Google's People API, he noticed that the block function of YouTube was using Google's 'Gaia' ID. Google says that if someone blocks someone on YouTube, their gaia ID is blocked and it is effective in other Google services.
Note that Gaia is Google's ID Management System, which is used for user information and session management in various services and products of Google. It originally serves as a centralized user identity system for all Google products and services.
Google provides a single ID through the Gua system, which connects all their Google accounts and services (eg, Google Drive, YouTube, Google Maps, etc.). As a result, when users use a Google service, all the information and settings are sank by the same Gaia ID.
Brotekat discovered the method of extracting an email address through the web version of the Pixel Recorder App. He shared a recording from the Gia ID from that app. Generally, when something like this is shared, a notification is sent to the owner of the Gia ID. However, Brutekat used a Python script to evacuate the notification, which made the recording file name as long as 2 million characters. As a result, the notification could not be sent and the target's email address was leaked.
The information related to this error was submitted to the Google Bug Bounty program, and he was first informed that he would be given $ 1,500 to find the error. However, after some thoughts, Google realizes that the risk of misuse of this error is much higher and therefore they give an additional 3,000 prizes. That is, Brotekat won a total of $ 4,000.
Google takes quick action after identifying this problem and heals the flaws.
