Massive YouTube vulnerability allows deleting any video on the site
Even software giants like YouTube and Google get their fair share of security problems. A few days ago, security researcher Kamil Hismatullin found a critical vulnerability in YouTube which allowed him to delete any video belonging to any user by simply sending a request.
A lucky escape for all hated YouTube videos
The request used was:
POST https://www.youtube.com/live_events_edit_status_ajax?action_delete_live_event=1 event_id: ANY_VIDEO_ID session_token: YOUR_TOKEN
On testing out the above code, the bug hunter received a success response, and the target video was deleted. It was that simple. As mentioned by Kamil:
“In general I spent 6-7 hours to research, considering that couple of hours I’ve fought the urge to clean up Bieber’s channel haha.”
The issue was handled responsibly however, reported to YouTube and fixed within a few hours. It was a close call. Kamil received a pretty sizeable reward from Google as this bug in the wrong hands could have wrecked havoc on the world’s largest video sharing website.
Have a nice (video-full) day!
Google cracks down on malicious ad injectors