Flaw in YouTube Allows Removal of Any Video
The Russian security researcher Kamil Hismatullin has discovered a critical flaw in YouTube that could be exploited by attackers to delete any video the popular video sharing service.
The bug hunter is not new to these discoveries, he reported several flaws to Google in the past and he was awarded $1,337 as part of the company bounty program known as “Vulnerability Research Grants” program.
The goal of the Google program is to invite experts and hacker to analyze the level of security for Google products and services, including YouTube.
Hismatullin spent part of his time in analyzing YouTube Creator Studio where he was looking for cross-site scripting (XSS) and cross-site request forgery (CSRF) fleas when he discovered a logical bug that allowed him to remove any video from YouTube using a simple POST request.
Google fixed the flaw in YouTube a few hours after Hismatullin reported it to Google and he was also awarded $5,000 for his discovery. Google recognized that the flaw was really serious so it awarded the maximum amount of money reserved for the logic flaws that lead to bypassing significant security controls in normal Google applications.
