blog-2025-02-12-leaking-youtube-users-email

https://brutecat.com/articles/leaking-youtube-emails

the interesting (for me) part of this attack is not the leak of the google ID (gaia ID), or the usage of a legacy system.

the interesting (for me) part is the trick they use to prevent the notification email (which would alert the victim) from being sent:

1. use the legacy systems api to leak the email via a test recording
2. the legacy system now would send a notification email about the test record including its title
3. to prevent this, chose a 2.5m character long title for the test record
4. now the action is executed, but the notification email is not sent

i guess the action is executed first, the notification email is sent afterwards and when an email sending error occurs, the action is not rolled back.

tags: security google youtube email