Now, Google has just confessed to several vulnerabilities in its account recovery and YouTube API functionalities. This recognition comes in the wake of these vulnerabilities being responsibly disclosed by Singaporean security researcher “brutecat.” These findings were extremely alarming in terms of user privacy and security on the platform, and thus Google felt compelled to act fast.
On April 14, 2025, “brutecat” reported a critical vulnerability with Google’s account recovery process. This vulnerability could have let users identify whether any given display name was linked to a known recovery email or phone number. In appreciation for this find, Google presented the researcher with a $5,000 bug bounty. On June 6, 2025, Google began implementing security measures. To lessen the risks associated with this vulnerability, they deleted their non-JavaScript username recovery form.
Vulnerabilities in Account Recovery
In his own words, “Brutecat” discovered the vulnerability which attackers could exploit. They might employ Google’s account recovery tools to verify the links between new display names and publicly visible recovery contact information. This might expose users to unauthorized access and phishing attempts.
Additionally, Google’s CAPTCHA-based rate limit system could be circumvented, permitting attackers to attempt multiple permutations of a Google account’s phone number. Experts caution that this particular vulnerability can be exploited in a matter of seconds or minutes. The amount of time it takes is phone number length dependent.
“An attacker with access to a Google account that had a channel that joined the YouTube Partner Program (over 3 million channels) can obtain the email address as well as monetization details of any other channel in the YouTube Partner Program. The attacker can use this to de-anonymize a YouTuber (as there is an expectation of pseudo-anonymity in YouTube), or phish them.” – Google
YouTube API Flaw
Aside from the account recovery vulnerability, “brutecat” discovered another serious issue impacting the YouTube API. He found a bug in the YouTube API and traced it all the way back to an old web API from Pixel Recorder. This new connection would further enable attackers to discover the email addresses of YouTube channel owners.
Google noted the seriousness of this issue and rewarded “brutecat” a $10,000 bounty for this find. This vulnerability has serious implications. It would expose content creators’ real names, putting them at greater risk of de-anonymization and phishing attacks.
Google’s Response and Future Measures
After the responsible disclosures issued by “brutecat,” Google moved quickly and decisively to resolve these vulnerabilities. The firm is making advances in its intelligence security area. It goes above and beyond the standard of promises, such as promising to protect user data with an active bug bounty program. This program provides a safe harbor and security researchers the motivation to do the right thing — report vulnerabilities responsibly in exchange for financial rewards.
Google’s new steps are more likely to instill user confidence. They are removing their non-Javascript username recovery form and patching holes in their APIs to protect their platform from abuse and keep their community secure.
