Google fixed vulnerabilities that could expose YouTube users' email addresses by chaining YouTube and Pixel Recorder APIs to reveal Google Gaia IDs, enabling identity breaches. Researchers disclosed the issues, noting significant privacy risks for anonymous users. After reporting, Google increased the bounty for the findings and implemented fixes on February 9, 2025.
Hackers are using Google Tag Manager to insert credit card skimmer malware in Magento e-commerce sites. A security report by Sucuri identified obfuscated scripts masquerading as typical GTM code that provides attackers with backdoor access. The malware, stored in the Magento database, harvests user data during checkout and sends it to the attackers’ servers. This abuse of GTM for malicious purposes isn't new, with similar incidents reported since 2018. Recently, two Romanian nationals were charged for their involvement in a payment card skimming operation.
https://thehackernews.com/2025/02/hackers-exploit-google-tag-manager-to.html
Extreme TLDR: A Cisco Talos report reveals a Google Cloud Build vulnerability that allows attackers to delete or encrypt data across projects with minimal permissions, exploiting overly permissive default settings. Actions like creating a malicious GitHub pull request can trigger destructive commands. Mitigations include applying least privilege, monitoring Google Operations Logs, and requiring manual approvals for builds triggered by pull requests.
https://www.vulnu.com/p/google-cloud-build-vulnerability-enables-data-destruction-across-projects
Google's OAuth Flaw Risks Millions of Accounts: A security issue allows anyone purchasing domains of defunct startups to access former employee accounts across various SaaS platforms, compromising sensitive data. Despite the risk affecting potentially over 10 million accounts, Google marks it as “won't fix” initially but later reopens the issue after a researcher’s talk. Proposed solutions include adding immutable identifiers to improve user security. Until addressed, many remain vulnerable to misuse of their accounts.
https://trufflesecurity.com/blog/millions-at-risk-due-to-google-s-oauth-flaw
