Security News

‘Doomsday Flaw’ Gave Power to Delete Everything on YouTube

Posted on April 3rd, 2015 by

YouTube doomsday flaw

You can file this one under tech doomsday near misses.

A Russian software developer and security researcher, Kamil Hismatullin, discovered a security flaw in YouTube that gave him—or anyone for that matter—the power to delete everything on YouTube. Between the time Hismatullin found the flaw and reported the issue to Google, in jest, he said he "fought the urge to clean up Bieber's channel."

What stood between Hismatullin and Justin Bieber's YouTube channel? Google's new experimental program, called Vulnerability Research Grants, which offers monetary grants to "top performing, frequent vulnerability researchers" in exchange for their time and attention looking into potential vulnerabilities in specific applications.

If not for the reward, well, who knows…

But here's what we do know.

In February, Kamil Hismatullin was awarded a $1,337 grant for sensitive product security research. If he found vulnerabilities during his research, then he would receive both the grant money and an additional reward to detecting issues.

He chose to target YouTube Creator Studio in search of exploitable bugs. After investigating for several hours, he "unexpectedly discovered a logical bug that let me to [sic] delete any video on YouTube…" Here's a video he posted (ironically, to YouTube), which shows how the exploit works:

On reporting the YouTube flaw to Google's security team, he said:

Although it was an early Saturday's morning in SF when I reported issue, Google sec team replied very fast, since this vuln could create utter havoc in a matter of minutes in the bad hands who can used this vulnerability to extort people or simply disrupt YouTube by deleting massive amounts of videos in a very short period of time. It was fixed in several hours, Google rewarded me $5k and luckily no Bieber videos were harmed 😀

Fortunately, this doomsday scenario was mitigated. But just imagine what could have happened if a malicious hacker discovered the flaw first. And that, ladies and gents, is what we call a very close encounter.