The security flaw, which has now been patched, involved a sophisticated exploit chain combining YouTube's user blocking system and Google's Pixel Recorder application.
The researcher discovered that YouTube's internal API leaked unique identifiers known as "obfuscated Gaia IDs" when blocking users in live chat. While not directly revealing personal information, these identifiers could be leveraged through Google's Pixel Recorder sharing functionality to obtain the associated email address.
The researcher devised an innovative workaround involving extremely long recording titles to prevent the target from being notified about the privacy breach. By creating a recording with a 2.5 million character name, the system failed to send notification emails to the target user when their information was accessed.
"This was super strange to me because YouTube should never leak the underlying Google account of a YouTube channel," noted the researcher in their disclosure.
The exploit chain highlighted how seemingly minor issues across different Google products could be combined to create significant privacy risks.
Google's security team responded promptly to the disclosure, initially awarding $3,133 before increasing the bounty to $10,633 after recognizing the exploit's high impact and sophisticated methodology.
Google has now fixed both aspects of the vulnerability. It serves as a reminder of how creative attackers can potentially piece together information across different services to compromise user privacy.
This type of responsible security research helps companies identify and address privacy vulnerabilities before they can be exploited maliciously.