You Can Delete Any YouTube Video, Researcher Says

You Can Delete Any YouTube Video, Researcher Says

Security researcher Kamil Hismatullin has found a flaw in YouTube that allowed anyone to delete any YouTube video.  He found that the YouTube videos can be deleted by sending the identity number of a video in a post request along with any token.

Using the following request :


event_id: ANY_VIDEO_ID
session_token: YOUR_TOKEN

For identifying and reporting the error, Google paid him $5,000 in accordance with its bounty-hunting program for bugs. He also uploaded a video to YouTube that demonstrates the attack :

Hismatullin said, "In general I spent 6-7 hours to research, considering that couple of hours I've fought the urge to clean up Bieber's channel haha."

"Since this vuln could create utter havoc in a matter of minutes in the bad hands who can used this vulnerability to extort people or simply disrupt YouTube by deleting massive amounts of videos in a very short period of time. It was fixed in several hours, Google rewarded me $5k and luckily no Bieber videos were harmed :D," he added.

No comments

Powered by Blogger.