Software developer Kamil Hismatullin has discovered a security flaw in YouTube that apparently granted him the power to delete any video he wanted. This means that he had the power to delete each and every video on the website, but don’t be alarmed, he had no desire to do so.
The developer reported the flaw to Google and apparently collected $5000 through the company’s Vulnerability Research Grants that launched back in January. For those unaware, the program offers anyone who finds significant vulnerabilities in specific applications a reward as an incentive for researchers to find and reports bugs and security flaws, having Google quickly swiping in and fixing them.
Hismatullin is said to have been offered $1337 back in February to dig into YouTube Creator Studio and after just six or seven hours, he found “a logical bug that let me delete any video on YouTube with just one following request.”
“Although it was an early Saturday’s morning in SF when I reported issue, Google sec team replied very fast, since this vuln could create utter havoc in a matter of minutes in the bad hands who can used this vulnerability to extort people or simply disrupt YouTube by deleting massive amounts of videos in a very short period of time,” he wrote. “It was fixed in several hours, Google rewarded me $5k and luckily no Bieber videos were harmed :D”
A Google representative has confirmed what Hismatullin reported, having the exploit be one of or even the most destructive one found so far on the streaming giant’s website. Can you imagine a world where you go to YouTube and all of a sudden you are greeted with 0 videos on the entire webpage?
Thank you PCGamer for providing us with this information