Massive YouTube vulnerability allows deleting any video on the site

youtube-logoEven software giants like YouTube and Google get their fair share of security problems. A few days ago, security researcher Kamil Hismatullin found a critical vulnerability in YouTube which allowed him to delete any video belonging to any user by simply sending a request.

A lucky escape for all hated YouTube videos

Kamil stumbled across this massive security bug while looking for Cross Site Request Forgery (CSRF) and Cross Site Scripting (XSS) issues.

The request used was:

POST https://www.youtube.com/live_events_edit_status_ajax?action_delete_live_event=1

event_id: ANY_VIDEO_ID
session_token: YOUR_TOKEN

On testing out the above code, the bug hunter received a success response, and the target video was deleted. It was that simple. As mentioned by Kamil:

“In general I spent 6-7 hours to research, considering that couple of hours I’ve fought the urge to clean up Bieber’s channel haha.”

The issue was handled responsibly however, reported to YouTube and fixed within a few hours. It was a close call. Kamil received a pretty sizeable reward from Google as this bug in the wrong hands could have wrecked havoc on the world’s largest video sharing website.

Have a nice (video-full) day!