Goodbye, Bieber? Bug Can Make Any YouTube Video Go Away

Written by

Imagine, there you are, watching your latest favorite cat video, or delighting again in Justin Bieber's merciless roasting. Then all of a sudden, poof—it disappears.

It turns out that this reality may have been narrowly avoided. A recent recipient of a Google security grant, Kamil Hismatullin, has put his $1337 cash advance to good use, uncovering a bug in YouTube that would allow an attacker to delete any video uploaded to the streaming service.

The find earned Hismatullin $5,000 in additional bug bounty cash.

The scope of the attack surface that the No. 1 video site on the web represents is enormous: According to comScore's most recent monthly Video Metrix, Google Sites, driven primarily by online video viewing at YouTube.com, saw 144.6 million unique viewers in February. And right now, 300 hours of video content is being uploaded to YouTube every minute.

Hismatullin, a student, was investigating how YouTube Creator Studio’s live_events/broadcasting systems works, and was looking for CSRF or XSS issues. Unexpectedly, he instead discovered a logical and easily exploitable flaw.

The researcher said that he spent around six or seven hours finding the bug, which he duly reported to Google, and which the internet giant subsequently fixed within hours.

“Although it was an early Saturday morning in SF when I reported issue, Google’s security team replied very fast, since this vuln could create utter havoc in a matter of minutes in bad hands who can use this vulnerability to extort people or simply disrupt YouTube by deleting massive amounts of videos in a very short period of time,” Hismatullin said in his blog.

Google expanded its bug bounty program in early February with the addition of an experimental up-front research grant program that pays researchers for their time, before they even discover a coding vulnerability. The awards that are meant to encourage research participation in bug-hunting even as the effort becomes more challenging over time. There will be various tiers of grants, with a maximum of $3,133.70.

Since launching in 2010, Google’s overall bug-hunting program has paid more than $4 million in rewards to security researchers. It paid out $1.5 million in 2014 alone, to 200 different researchers, with the largest award topping out at $150,000.

What’s hot on Infosecurity Magazine?