You Can Delete Any YouTube Video, Researcher Says

You Can Delete Any YouTube Video, Researcher Says

Security researcher Kamil Hismatullin has found a flaw in YouTube that allowed anyone to delete any YouTube video.  He found that the YouTube videos can be deleted by sending the identity number of a video in a post request along with any token.

Using the following request :

POST https://www.youtube.com/live_events_edit_status_ajax?action_delete_live_event=1

event_id: ANY_VIDEO_ID
session_token: YOUR_TOKEN

For identifying and reporting the error, Google paid him $5,000 in accordance with its bounty-hunting program for bugs. He also uploaded a video to YouTube that demonstrates the attack :



Hismatullin said, "In general I spent 6-7 hours to research, considering that couple of hours I've fought the urge to clean up Bieber's channel haha."

"Since this vuln could create utter havoc in a matter of minutes in the bad hands who can used this vulnerability to extort people or simply disrupt YouTube by deleting massive amounts of videos in a very short period of time. It was fixed in several hours, Google rewarded me $5k and luckily no Bieber videos were harmed :D," he added.

No comments

Powered by Blogger.