Advertisement

YouTube bug lets anyone delete whatever clip they choose

Including other people’s obnoxious cat videos

YouTube 1
The law of the 21st century digital front dictates that whenever an enterprising individual discovers a massive bug in your system, you reward them with a cash bounty. Earlier this month, a Russian cyber-security researcher aka whitehat hacker aka “computer expert” by the name of Kamil Hismatullin discovered a massive bug that allowed anyone to potentially delete any video on YouTube. But rather than in engaging in the mass cleansing of Justin Bieber material, Hismatullin chose to report his findings to YouTube parent company Google, which recompensed him for $5,000.

Hismatullin admits that in the course of the six to seven hours that he spent conducting the research, he was very tempted to “clean up Bieber’s channel,” using words such as “fought the urge” when describing his plight. Joking aside, Google’s security team took Hismatullin’s findings very seriously, and responded within a very short time; the vulnerability he discovered could’ve been exploited with relative ease, allowing users to delete whatever YouTube video they saw fit. 

Given the tie-in between conceived value and total views, resetting someone’s view count by forcing them to re-upload the video can be rather detrimental, especially to users who make a living exclusively from YouTube ad-revenue.

Hismatullin explains that he stumbled upon the bug while investigating cross-site scripting flaws on the YouTube Creator Studio, a service that lets video creators see the traffic data behind the clip they’ve uploaded via an app. The bug he eventually did find, permits any clip to be deleted if one types in its event ID, located in the web address, and the string of characters known as the authentication token.  The central issue was the service was accepting anyone’s token for a takedown request, without verifying if it originated from the owner of the clip.

Although Hismatullin was expecting a $15,000 to $20,000 reward, the $5,000 he was eventually given makes sense in light of the Google’s bounty cap; the company rewards a different amount based on the category of bug detected.

YouTube 2
The odd $1,337 reward pricing in many of the categories is a play on the gaming/Internet lingo connoting “leet,” slang for “elite”

By contrast, Facebook has no maximum reward ceiling, so they can compensate diligent researchers for as much as they want. 

Source: BBC

Advertisement



Learn more about Electronic Products Magazine

Leave a Reply