Recently, security researcher Kamil Hismatullin, as is his wont, spent a few hours poking at Google services.
In particular, he was poring over YouTube to see if he could spot any cross-site request forgery (CSRF) or cross-site scripting (XSS) issues.
But he stumbled on a far more severe bug: one that could have let him delete any video on YouTube.
He exploited the flaw by sending the identity number of a video in a post request along with any token – a very simple request that looked something like this:
POST /live_events_edit_status_ajax?action_delete_live_event=1 HTTP/1.1
Host : www.youtube.com
...
event_id=<video id>&session_token=<any token>
The bug is very similar to a Facebook flaw that was uncovered in February. The Facebook vulnerability, found by researcher Laxman Muthiyah, allowed an attacker to delete any photo they could see on Facebook.
Both vulnerabilities were problems with access control and both turned up in Application Programming Interfaces (APIs) provided by the sites.
In both cases the researchers uncovered flaws that could have allowed them to create absolute havoc.
So, was it time to wave goodbye to channel “PewDiePie”? To bid hasta luego to “Smosh”?!? To say sayonara to all things Justin Bieber!??!
Unbeliebably, Hismatullin refrained from cleaning up Justin’s channel:
In general I spent 6-7 hours to research, considering that couple of hours I've fought the urge to clean up Bieber's channel haha.
…and instead reported the bug to Google, which jumped on the bug lickety-split, he said:
Although it was an early Saturday's morning in SF when I reported issue, Google sec team replied very fast, since this vuln could create utter havoc in a matter of minutes in the bad hands who can used this vulnerability to extort people or simply disrupt YouTube by deleting massive amounts of videos in a very short period of time.
He posted a proof of concept video to YouTube.
Hismatullin is actually one of the security researchers whom Google decided to invite to its new, experimental program, called Vulnerability Research Grants.
Google announced the grants, which are actually up-front awards paid to hand-picked researchers before they ever submit a bug, in January.
Hismatullin got the maximum payout, $5,000, allowable under the program rules.
Happy researcher, relieved Googlopolis, Bieber off the hook:
It was fixed in several hours, Google rewarded me $5k and luckily no Bieber videos were harmed :D
Image of YouTube courtesy of Michal Ludwiczak / Shutterstock.com.
LyKP
Am I the only one that thinks “the maximum payout, $5,000” is like a joke?
Richard
he should have got a few millions because YouTube would have lost that easily with add revenue !!!
Jamie WIlson
$5000 what a joke, if this is true this man deserves upwards of $100k.
Anonymous
Yes, directly taken from IT security’s salaries :)
onehappynegro
well if he had removed the justin biber channel clearly worth 100k
Seven11
Wow that was one heck of a vulnerability, to think that something like that is even possible is scary as hell.
Anonymous
You have to really hate money to stay white/grey-hat….
He could have had 50K worth of fun just deleting gangnam style..
Jane Ang
Cool.