A few months ago Google debuted an experimental program called Vulnerability Research Grants, that offered grants to people finding bugs and big exploits within their services. Well, Kamil Hismatullin from Russia has uncovered a pretty big flaw in YouTube’s coding.
He’s a frequent Google reporter and knew to look for code with problems. He selected YouTube Creator Studio to analyze it as a target and after a few hours he found two problems. One was easily exploitable and the other one wasn’t anything special. Turns out that the whole live_events/broadcasting system had some logical bugs attached to them that let the Russian researcher delete any video on YouTube he wanted.
He just had to use this request:
“POST https://www.youtube.com/live_events_edit_status_ajax?action_delete_live_event=1
event_id: ANY_VIDEO_ID
session_token: YOUR_TOKEN”
There’s a video below showing how it’s all done and the Russian research claims that he had quite an urge to delete a Justin Bieber video or two. Anyway he resisted it and reported back to Google about the problem, that was very dangerous and could have caused ANY video in the world to be taken down. It was all fixed in a few hours and Google awarded the finder of the exploit with $5k.
via kamil.hism.ru
