A Russian security researcher discovered a flaw in YouTube’s system that allowed anyone to delete any video on YouTube. Now this vulnerability is fixed and Google paid the researcher an amount of $5000 for finding this bug.
Kamil Hismatullin was trying to search for a security vulnerability in YouTube in order to win cash rewards that Google gives out to researchers. “I wanted to find there some CSRF or XSS issues, but unexpectedly discovered a logical bug that let me to delete any video on YouTube with just one request,” Hismatullin says. He found that if was very easy to fool YouTube System and delete any video from the server easily. He also demonstrated how he managed to delete a video from YouTube in the video below.
The video above highlighted that YouTube had a flaw and there may be more issues like this waiting for someone to discover them. If Kamil had deleted any video of any famous person then Google might have not paid him. So he decided not to do so.
The hack could have caused problems for Justin Bieber.” I’ve fought the urge to clean up Bieber’s channel,” Hismatullin said. Luckily no video of Justin beiber was deleted from Youtube. Google fixed the problem within few hours after this vulnerability was registered. Google solved the issue very fast. People online requested him to delete the “Gangnam Style” video but it was too late to do so.
This is the vulnerable POST request that Hismatullin found in YouTube:
POST – https://www.youtube.com/live_events_edit_status_ajax?action_delete_live_event=1
event_id: ANY_VIDEO_ID
session_token: YOUR_TOKEN
The key part there is “delete_live_event.” To delete any video from YouTube, all Hismatullin had to do was fill in the ID of a YouTube video, and YouTube would delete it without checking whether he was actually allowed to.