YouTube logo is displayed on a mobile phone screen for illustration photo. Krakow, Poland on ... [+] February 9, 2023. (Photo by Beata Zawrzel/NurPhoto via Getty Images)NurPhoto via Getty ImagesFor at least four months and possibly much longer, YouTube was vulnerable to a sneaky exploit that couldve leaked the email address of any of its users all 2.7 billion of them.The attack vector, uncovered by security researchers going by the aliases Brutecat and Nathan, combined two separate design shortcomings in Google APIs in order to get to its final target: acquiring an email address.Before you panic: The researchers disclosed the security hole last September. Google has since patched it and issued a $10,000 reward to Brutecat and Nathan.But heres why the discovery is a big deal.How The YouTube Exploit WorksA leaked email might seem like a minor incursion, but chained with additional attack vectors could ultimately have larger repercussions. It also puts users anonymity at risk.At the core of the security hazard is a Google account management mechanism dubbed GaiaID a Google Accounts and ID Administration (GAIA) number linked to individual users.The GaiaID leak likely lasted for years now, at least ever since Google implemented the block feature on YouTube live chat, Brutecat tells me. Not long ago, these were even leaked from the YouTube comments API response for use with the profile card feature.MORE FOR YOUBrutecat adds its definitely possible that people scraped these GaiaIDs from comments, but questions whether they wouldve successfully linked them to email addresses. More concerningly, the researcher notes that other Google products like GPay, Play and Maps also leaked GaiaIDs.I hope Google would eventually fix this as well, Brutecat tells me, adding its possible there might be similar GaiaID-to-email attack vectors in the wild to be exploited in these products.(Google wasnt immediately available for comment, but Ive reached out and will update this piece accordingly if I hear back.)Back to the exploit. Leveraging a GaiaID to unveil an email address required another move. For that, Brutecat and Nathan used the Pixel Recorder app in order to email a potential victim.At first, the researchers noticed that sending a recording to an email would also come with a notification, which wouldve alerted a user that something malicious is taking place. But by making the recording title length 2.5 million characters long they were able to send an email without alerting a user with a notification.The security wizzes have since posted a proof-of-concept video, which you can check out below:Just How Big Is The Scale Of The YouTube Exploit?Just how big of a danger is the GaiaID exploit? Well, the issue is that Google relies on this mechanism across its suite of products. For reference, YouTube has 2.7 billion users. Maps had surpassed 10 billion installs on Android by 2021.Factoring this in, unpatched GaiaID leaks whether in YouTube or other products could put billions of users at risk. The good thing is that Google has already plugged one of these holes better hurry up and take care of the rest soon.