14 DAY TRIAL // Google rewarded a security researcher with $5,000 / €4,600 for responsibly disclosing a logical flaw in YouTube that allowed the removal of any video on the media sharing website.
Exploiting the glitch required minimum effort from the perpetrators, who only needed to perform a “delete” request based on the session token and the ID of the clip.
Simple delete request is approved
Researcher Kamil Hismatullin started his investigation by observing how broadcasting of live events worked in YouTube Creator Studio, hoping to find cross-site request forgery (CSRF) or cross-site scripting (XSS) problems.
However, by issuing a POST request to remove a video from any YouTube account, he received a positive reply and the content was deleted as if the owner performed the action.
event_id: ANY_VIDEO_ID
session_token: YOUR_TOKEN
"success": 1
}
Research grant stimulates bug hunting
The issue was highly significant and many say that Google should have paid more for being notified of its existence, drawing a parallel with Facebook’s rewards for two content deleting bugs (one for photos, the other for timeline messages); each reporter received $12,500 / €11,500.
However, as per the rules of the reward program, Google paid the maximum for a logic flaw that bypassed security controls in a normal application, as is YouTube considered.
Hismatullin began his study after receiving a vulnerability research grant from Google, worth $1,337 / €1,235 as part of an experimental program of the company that pays security researchers based on previous work, even if no vulnerabilities are found.
The purpose of the project is to stimulate third parties to maintain their engagement in hunting down security glitches present in the company’s products.
Hismatullin says that the security team at Google was prompt to reply to his notification and solved the issue in several hours. He also created a video that demonstrated the validity of the problem:
