A security researcher exposed a critical vulnerability in world’s popular video sharing website – YouTube. A Russian security bod named Kamil Hismatullin discovered a very simple logical vulnerability that allowed him to remove any video from YouTube in a matter of one click.
Hismatullin was looking for possible Cross-Site Scripting (XSS) or Cross-Site Request Forgery (CSRF) flaws in YouTube Studio Creator. He was successfully able to wipe any video present in YouTube just by passing the unique identity number of the video in a POST request along with current session token.
The bug though appears to be very simple, is very critical in nature. A hacker knowing about this vulnerability could harm the entire YouTube network by taking down all the videos in a matter of minutes.
Hismatullin, in one of his posts said,
Although it was an early Saturday’s morning in SF when I reported issue, Google security team replied very fast, since this vulnerability could create utter havoc in a matter of minutes in the bad hands who can used this vulnerability to extort people or simply disrupt YouTube by deleting massive amounts of videos in a very short period of time. It was fixed within a few hours.
The search engine giant fixed the issue within hours after the researcher reported about this bug to Google. Hismatullin was given $5,000 cash reward from Google for discovering and reporting the critical issue which could have created utter havoc. The hacker was also payed an extra $1337 under the company’s pre-emptive vulnerability payment scheme.