Recently, security researcher Kamil Hismatullin, as is his wont, spent a few hours poking at Google services.
In particular, he was poring over YouTube to see if he could spot any cross-site request forgery (CSRF) or cross-site scripting (XSS) issues.
But he stumbled on a far more severe bug: one that could have let him delete any video on YouTube.
He exploited the flaw by sending the identity number of a video in a post request along with any token – a very simple request that looked something like this:
POST /live_events_edit_status_ajax?action_delete_live_event=1 HTTP/1.1 Host : www.youtube.com ... event_id=<video id>&session_token=<any token>
The bug is very similar to a Facebook flaw that was uncovered in February. The Facebook vulnerability, found by researcher Laxman Muthiyah, allowed an attacker to delete any photo they could see on Facebook.
Both vulnerabilities were problems with access control and both turned up in Application Programming Interfaces (APIs) provided by the sites.
In both cases the researchers uncovered flaws that could have allowed them to create absolute havoc.
Unbeliebably, Hismatullin refrained from cleaning up Justin’s channel:
In general I spent 6-7 hours to research, considering that couple of hours I've fought the urge to clean up Bieber's channel haha.
…and instead reported the bug to Google, which jumped on the bug lickety-split, he said:
Although it was an early Saturday's morning in SF when I reported issue, Google sec team replied very fast, since this vuln could create utter havoc in a matter of minutes in the bad hands who can used this vulnerability to extort people or simply disrupt YouTube by deleting massive amounts of videos in a very short period of time.
He posted a proof of concept video to YouTube.
Hismatullin is actually one of the security researchers whom Google decided to invite to its new, experimental program, called Vulnerability Research Grants.
Google announced the grants, which are actually up-front awards paid to hand-picked researchers before they ever submit a bug, in January.
Hismatullin got the maximum payout, $5,000, allowable under the program rules.
Happy researcher, relieved Googlopolis, Bieber off the hook:
It was fixed in several hours, Google rewarded me $5k and luckily no Bieber videos were harmed 😀