Google recently paid a security researcher $5,000 for finding a bug in YouTube that let him delete any video on YouTube.
A Russian security researcher has discovered very simple & critical flaw in Google owned YouTube that allowed anyone to delete any video uploaded to the YouTube.
Kamil Hismatullin, a Russian security researcher was searching for security vulnerabilities in YouTube in order to try and win one of the bug bounty that Google hands out to security researchers for finding bugs.
While looking for Cross-Site Scripting (XSS) or Cross-Site Request Forgery (CSRF) bugs in YouTube Creator Studio, Hismatullin found a simple logical bug through which it was easy to fool YouTube into deleting any video on its system just by sending an identity number of any video in a post request against any session token.
I’ve fought the urge to clean up Bieber’s channel,” Hismatullin said in his blog post. “Luckily no Bieber videos were harmed.
The researcher reported the issue to Google, and the search engine gaint fixed the problem within several hours. Hismatullin was also given $5,000 bug bounty for finding & reporting the critical vulnerability and an extra $1337 under the company’s pre-emptive vulnerability payment scheme.