h34t.net

blog | recently edited | projects | about

login |

blog-2025-02-12-leaking-youtube-users-email

Wednesday, February 12, 2025, 4:50:34 PM Coordinated Universal Time by stefs

https://brutecat.com/articles/leaking-youtube-emails

the interesting (for me) part of this attack is not the leak of the google ID (gaia ID), or the usage of a legacy system.

the interesting (for me) part is the trick they use to prevent the notification email (which would alert the victim) from being sent:

  1. use the legacy systems api to leak the email via a test recording
  2. the legacy system now would send a notification email about the test record including its title
  3. to prevent this, chose a 2.5m character long title for the test record
  4. now the action is executed, but the notification email is not sent

i guess the action is executed first, the notification email is sent afterwards and when an email sending error occurs, the action is not rolled back.

tags: security google youtube email

source

Wednesday, February 12, 2025, 4:48:42 PM Coordinated Universal Time by stefs

https://brutecat.com/articles/leaking-youtube-emails

the interesting (for me) part of this attack is not the leak of the google ID (gaia ID), or the usage of a legacy system.

the interesting (for me) part is the trick they use to prevent the notification email (which would alert the victim) from being sent:

  1. use the legacy systems api to leak the email via a test recording
  2. the legacy system now would send a notification email about the test record including its title
  3. to prevent this, chose a 2.5m character long title for the test record
  4. now the action is executed, but the notification email is not sent

i guess the action is executed first, the notification email is sent afterwards and when an email sending error occurs, the action is not rolled back.

tags: #security #google #youtube #email

source

Wednesday, February 12, 2025, 4:48:38 PM Coordinated Universal Time by stefs

https://brutecat.com/articles/leaking-youtube-emails

the interesting (for me) part of this attack is not the leak of the google ID (gaia ID), or the usage of a legacy system.

the interesting (for me) part is the trick they use to prevent the notification email (which would alert the victim) from being sent:

  1. use the legacy systems api to leak the email via a test recording
  2. the legacy system now would send a notification email about the test record including its title
  3. to prevent this, chose a 2.5m character long title for the test record
  4. now the action is executed, but the notification email is not sent

i guess the action is executed first, the notification email is sent afterwards and when an email sending error occurs, the action is not rolled back.

#security #google #youtube #email

source

Wednesday, February 12, 2025, 4:43:00 PM Coordinated Universal Time by stefs

https://brutecat.com/articles/leaking-youtube-emails

the interesting (for me) part of this attack is not the leak of the google ID (gaia ID), or the usage of a legacy system.

the interesting (for me) part is the trick they use to prevent the notification email (which would alert the victim) from being sent:

  1. use the legacy systems api to leak the email via a test recording
  2. the legacy system now would send a notification email about the test record including its title
  3. to prevent this, chose a 2.5m character long title for the test record
  4. now the action is executed, but the notification email is not sent

i guess the action is executed first, the notification email is sent afterwards and when an email sending error occurs, the action is not rolled back.

source

view