While searching for security issues within Youtube Creator Studio, a Russian security researcher Kamil Hismatullin discovered a rather serious flaw within YouTube that allows an attacker to delete any video from the website.
“As a frequent Google reporter, I’ve received the email above and decided to spend some time on weekends and look into the security of Google products. I selected YouTube Creator Studio as a target and after a few hours I composed two reports. One of them was about easily exploitable, but pretty high severity issue,” says Hismatullin in a blog post.
Although he was investigating CSRF and XSS issues, he came across an unexpected logical bug within YouTube. He was now able to delete any video from YouTube by using the following request:
POST https://www.youtube.com/live_events_edit_status_ajax?action_delete_live_event=1 event_id: ANY_VIDEO_ID session_token: YOUR_TOKEN
Proof-of-Concept:
According to Mr. Hismatullin, Google quickly responded and fixed the reported flaw. He was also awarded a $5,000 reward for finding the flaw on top of the symbolic $1337 that he received from Google for being part of the Vulnerability Research Grants program. Kamil also notes that with great power comes great responsibility and with his newly-discovered superpowers, he was fighting an internal battle about whether or not to “clean up Bieber’s channel.”
