YouTube Bug Let Security Researcher Delete Anyone’s Videos
Google just fixed a critical security vulnerability in YouTube that would have allowed a malicious user to delete anyone’s videos. The bug, discovered by Russian security researcher Kamil Hismatullin, made it possible to delete any and all videos on YouTube with just three simple lines of code. Hismatullin’s discovery could have caused utter havoc, and the white hat hacker says he “fought the urge to clean up [Justin] Bieber’s channel”. Hismatullin reported the vulnerability to Google, and the company fixed the bug several hours later. Google also rewarded Hismatullin $5000 for his efforts.
“Google rewarded me $5k and luckily no Bieber videos were harmed”
Kamil Hismatullin is part of an experimental Google project called Vulnerability Research Grants. Google selects top performing security researchers and invites them to audit the security of various Google services. If the researcher doesn’t find any vulnerability, he/she is still awarded a grant for time and effort spent. If the researcher does, however, find a vulnerability, he/she keeps the grant and is awarded an additional bounty.
Hismatullin received the above email and decided to research YouTube Creator Studio. He spent a few hours looking for cross-site request forgery (CSRF) and cross-site scripting (XSS) issues, but instead, accidentally stumbled upon a logic bug. It turned out that with just the following three lines of code, Hismatullin could delete any video on YouTube.
POST https://www.youtube.com/live_events_edit_status_ajax?action_delete_live_event=1 event_id: ANY_VIDEO_ID session_token: YOUR_TOKEN
Hismatullin promptly notified Google about the vulnerability and put together a proof-of-concept displaying the bug.
For identifying such a massively critical security vulnerability, it seems like the $5000 Hismatullin was awarded wasn’t all that much. Facebook paid a security researcher $12,500 for identifying a similar bug that let anyone delete anyone’s photos. Hismatullin says, “To be honest I expected $15k – $20k :)”. However, Google’s Vulnerability Rewards Program rules state that the maximum the company can pay out for “logic flaw bugs leaking or bypassing significant security controls” in a “normal Google application” is $5000. Still, Hismatullin doesn’t seem too fazed.
“Security research is a kind of my hobby, so I am enjoy doing it regardless rewards amount :)”
Images from Shutterstock and kamil.hism.ru