Andisearch Writeup

A security researcher known as Brutecat discovered a vulnerability that could expose the email addresses of YouTube's 2.7 billion users by exploiting two separate Google services[^1][^2]. The attack chain involved extracting Google Account identifiers (GaiaIDs) from YouTube's block feature, then using Google's Pixel Recorder app to convert these IDs into email addresses[^1].

To prevent notification emails from alerting victims, Brutecat created recordings with 2.5 million character titles that broke the email notification system[^1]. The exploit worked by intercepting server requests when clicking the three-dot menu in YouTube live chats, revealing users' GaiaIDs without actually blocking them[^2].

Brutecat reported the vulnerability to Google on September 15, 2024[^1]. Google initially awarded $3,133, then increased the bounty to $10,633 after their product team reviewed the severity[^1]. According to Google spokesperson Kimberly Samra, there was no evidence the vulnerability had been exploited by attackers[^2].

Google patched both parts of the exploit on February 9, 2025, approximately 147 days after the initial disclosure[^1].

[^1]: Brutecat - Leaking the email of any YouTube user for $10,000 [^2]: Forbes - YouTube Bug Could Have Exposed Emails Of 2.7 Billion Users

After a recent forced update, I can no longer login to my bank account, the app brings up google play and expects me to login to gplay for what ever reason,I am not logged into that cancer on my phone, so now I am fuming and don't want to be forced to make a google account on the phone. (by the way I have been using aurora to avoid gplay)

I am hoping someone has a some trick or app to bypass this ? I have talked to the bank but there is nothing they can do for just one weird customer !

Everything is going to shit in this dystopian technocracy

I'm considering getting a domain with a .place TLD. Will it cause any issues like emails being blocked or something? I searched and it doesn't seem particularly notorious for spam or anything, but I wanted to find out if there are people who can tell me from experience.

Edit: This is not for running my own server - I have a provider, Disroot.

I have been using Porkbun for domain name registration until now, but I wanted to move to a European registrar. When I registered a domain, I received this email. Is it normal?. If not what registrar do you use? I have filled in my name and address while registering an account and have 2fa on. It's an id verifier app.

The app https://apps.apple.com/us/app/infomaniak-kcheck/id1500022928

To infomaniaks credit they gave me a refund instantly when i asked.

Hey Folks! Someone in my family (Person A), has talked to a guy, who is working in the tech world, about if it make sense to use Signal, over Messenger, Snap, WhatsApp, with privacy in mind. The tech guy said, there is no difference, and that its not making sense to use it and that its almost the same. I know Signal is discussed alot here, but im now looking for some arguments, and facts to tell the one from my family, that the tech guy is wrong. What arguments can i use, why is Signal better in privacy, then the other alternatives? Person A, has always been sceptical about me beeing so privacy minded, and A thinks that there is nothing to do to protect, and is one of thoese saying : I have nothing to hide.

Edit: thank you for the help

Kagi haters are in shambles

I apologize if this isn't the place, I'll happily repost somewhere else if someone gives any suggestions pertaining to that.

I've been using Eddie with airvpn on my PC for a little over two years. I have never been able to identify which programs are using my network with task manager, because all the traffic went through openvpn.exe.

I just switched to wireguard thinking it would help me figure out which programs are using so much data but it provides even less information. It's significantly faster, so I'll be sticking to wireguard, but I still can't tell which program is actually using the network on task manager. I've been googling all morning and can't find a proper solution to my problem. It definitely seems like others want the same thing, but I haven't found any thread where the people answering actually understood the issue.

Task manager shows all traffic is going through wireguard.exe or airvpn.exe, so how can I tell which programs are actually using data?

Apologies If I can't list specific 3rd Android OS here. I know you can't on some reddit privacy subs due to some beef between devs I guess. I'll take down if needed :)

Regardless, Ive been running GOS for a while and just found out theres a feature that allows you to use biometrics while still requiring your pin on the initial lock screen. One of my concerns with biometrics is that in some jurisdictions, law enforcement can force someone to open their phone through face ID or thumb print.

I've been using this feature that allows you to use biometrics but when you are on the lock screen, it still requires your pin. I thought this was really cool because it allows me to use biometrics only to unlock my apps while still adding an extra layer of protection to the unlocking of the device itself. Obviously slightly Inconvenient depending on your worries/threat level, but I just wanted to share this in case anyone else was interested and didnt know about it! Very cool!

EDIT: I just re-read my screenshot and it looks like fingerprint unlock is not correlated to using fingerprint for app unlocking. If this is the case then I'm not quite sure what the actual benefits are here. Please feel free to clarify!

streaming has a history of being data intrusive. and buying from most online stores show itemized music receipts to the credit card company (and don't typically allow giftcards). buying in person is nice, but harder to get new music.

any tips?

Does anyone have tips for redirecting YouTube links on mobile android?

I tried Firefox with libredirect addon, but it doesn't want to work for some reason.

Work uses Slack, which is quite entrenched in the organization, so trying to move all of my contacts over to something else would be nontrivial. Colleagues use it to send moderately urgent messages every now and then, so notifications on my phone would be a nice-to-have.

I haven't had much luck finding well-maintained open-source clients for Slack. I could sandbox Play Services alongside the official app or a browser, but I'd rather not make my phone run the whole Google Play stack just for those notifications. Did I miss any low-hanging fruit or is hosting a Matrix bridge the only alternative?

cross-posted from: https://lemm.ee/post/55331045

At this pace, I'll either never change my car or will never buy a car again.

Is matrix good to use, seen a lot of drama around it. For example hackliberty.org left it because of lacking of security and moderation, do you still recommended it?

I ran my old 2004 Samsung television into the ground: the EL backlight was so worn out that the picture had large dark holes in it, and the TV would take 20 minutes to warm up and display something.

And today it wouldn't start at all anymore. It's deader than a dead dodo. But hey, 20 years for a modern TV ain't bad. I'm pretty pleased with that.

So I went to the supermarket to find the cheapest set I could find. I asked the salesman if they had a cheap, but most importantly NON-SMART TV - thinking non-smart TVs are probably the cheapest of them all, if they still existed at all.

The man said "We have this dumb 43" TV here, but it's the last one, and then we won't get anymore dumb TVs for 3 months."

I looked at the price and it was - gasp - $20 MORE than the cheapest Android-encumbered smart TV of the same size.

I asked the man how come and he said "Well, dumb TVs are hard to get and they sell almost immediately. So they're worth more than the smart ones."

Wow. So people actually WANT dumb TVs and are willing to pay a premium for em. It means attitudes towards the value of privacy are changing and that's great!

Android's Gboard always suggests replies in chat apps that fit the context of what my contacts write.

If my previous message had been related, I would assume it predicted what my contact would say in response and make a suggestion based on that. But even if the contact changes the topic, the suggestions are appropriate.

I don't expect that the apps all share the conversation with Gboard. So how are the predictions made.

It seems unlikely that it would take screenshots and base predictions on that. But otherwise I don't know how it is possible.

scarily... They don't need to to be this creepy, but even I'm a tad baffled by this.

Yesterday me and a few friends were at a pub quiz, of course no phones allowed, so none were used.

It came down to a tie break question of my team and another. "What is the run time of the Lord of the Rings: Fellowship of the ring" according to IMDb.

We answered and went about our day. Today my friend from my team messaged me - top post on his "today feed" is an article published 23 hours ago.....

Forgive the pointless red circle.... I didnt take the screenshot.

My friend isn't a privacy conscience person by any means, but he didnt open IMDb or google anything to do with the franchise and hasn't for many months prior. I'm aware its most likely an incredible coincidence, but when stuff like this happens I can easily understand why many people are convinced everyone's doom brick is listening to them....

I currently use KeepassXC that is synced through NextCloud. The sync isn't very elegant, especially on my phone. So I'm looking for a new password manager, which has a native server sync support that I can self host. What do y'all recommend? I need at least a phone app and a browser integration that can autofill.

I have been messing around with creating a homoglyph keyboard for Android, but I'm wondering if it's even worthwhile. Is there any benefit to masking your messages with homoglyphs? Primarily I think it could defend against an LLMs ability to easily scrape messages. In my experiments ChatGPT and DeepSeek both get confused by homoglyph messages unless you instruct it to determine the likely alphabet characters and numbers for each individual character.

For the uninitiated, Ꮋ0ᛖοԌⅼуᏢʜѕ áᚱе ᏟｈäʀɑсᎢᎬᚱႽ ｔｈàτ Ｌоοᛕ ⅼіᛕË ᏞëｔＴêᚱᏚ

What service would you recommend for receiving SMS confirmation codes etc. that is not blocked by most services (which probably only leaves the paid ones)?