Security researcher Kamil Hismatullin earned himself a respectable $5,000 recently after uncovering a serious vulnerability on YouTube that allowed him to delete any or all videos from the popular video streaming service.
The vulnerability, which is very similar to recent discovery on Facebook, is posed by a flaw in access control. Using the short request below, Hismatullin could have caused havoc at the YouTube offices and millions of YouTube users.
POST /live_events_edit_status_ajax?action_delete_live_event=1 HTTP/1.1 Host : www.youtube.com ... event_id=<video id>&session_token=<any token>
In a response posted on the Naked Security website, Hismatullin said he spent “6-7 hours” researching and “fought the urge to clean up Bieber’s channel”.
He continued, “Although it was an early Saturday’s morning in SF when I reported issue, Google sec team replied very fast, since this vuln could create utter havoc in a matter of minutes in the bad hands who can used this vulnerability to extort people or simply disrupt YouTube by deleting massive amounts of videos in a very short period of time.”
Hismatullin was rewarded the maximum payout available under Google’s new program, Vulnerability Research Grants.