YouTube flaw could allow hacker to delete all of Justin Bieber's music videos
Posted by: Timothy Weaver on 04/06/2015 09:30 AM [ Comments ]
Kamil Hismatullin, a Russian coder, was paid $1,337, which was a grant to investigate possible flaws in Googles YouTube code.
He spent six or seven hours and found that once he could copy part of a video's web address on YouTube, he could use it to wipe the clip within half a minute.
Instead of acting on the flaw, he immediately contacted Google.
He joked, however, that he was tempted to wipe Justin Bieber's music videos.
"I spent six to seven hours [on] research, considering that [for a] couple of hours I've fought the urge to clean up Bieber's channel, haha," wrote Mr Hismatullin.
"Although it was an early Saturday's (sic) morning in San Francisco when I reported [the] issue, Google's security team replied very fast, since this vulnerability could create utter havoc in a matter of minutes in the bad hands."
"This vulnerability [might have been used] to extort people or simply disrupt YouTube by deleting massive amounts of videos in a very short period of time."
"It was fixed in several hours, Google rewarded me $5,000 and luckily no Bieber videos were harmed."
He found that the service could be hacked if he typed in both its event ID - which can be found in its web address - and a long string of letters and numbers known as an authentication token, which is supposed to act as a kind of password.
Mr Hismatullin could simply copy a token from his own account and use it to delete others' videos.
Although Google paid him $5,000 for the flaw, his initial grant was awarded under Googles program to encourage people who have previously reported flaws to hunt out more.
Source: BBC.com
Instead of acting on the flaw, he immediately contacted Google.
He joked, however, that he was tempted to wipe Justin Bieber's music videos.
"I spent six to seven hours [on] research, considering that [for a] couple of hours I've fought the urge to clean up Bieber's channel, haha," wrote Mr Hismatullin.
"Although it was an early Saturday's (sic) morning in San Francisco when I reported [the] issue, Google's security team replied very fast, since this vulnerability could create utter havoc in a matter of minutes in the bad hands."
"This vulnerability [might have been used] to extort people or simply disrupt YouTube by deleting massive amounts of videos in a very short period of time."
"It was fixed in several hours, Google rewarded me $5,000 and luckily no Bieber videos were harmed."
He found that the service could be hacked if he typed in both its event ID - which can be found in its web address - and a long string of letters and numbers known as an authentication token, which is supposed to act as a kind of password.
Mr Hismatullin could simply copy a token from his own account and use it to delete others' videos.
Although Google paid him $5,000 for the flaw, his initial grant was awarded under Googles program to encourage people who have previously reported flaws to hunt out more.
Source: BBC.com
Comments