A couple of days ago, a Russian coder, Kamil Hismatullin posted a demonstration on his blog explaining a technique to delete virtually any video on YouTube. The service uses authentication tokens which are unique to users. Kamil discovered that when submitting a takedown request, the site was accepting any token instead of a unique one, which potentially meant that he could delete any video present on YouTube.
Instead of illegally exploiting this security flaw, Kamil contacted Google and reported the hack which granted him a $5000 bounty. He did however joke that he contemplated the intriguing thought of deleting all videos from Justin Bieber's channel:
I spent six to seven hours [on] research, considering that [for a] couple of hours I've fought the urge to clean up Bieber's channel, haha.
However, much to the disappointment of Bieber-haters around the globe, Kamil later decided against this and reported the issue to Google. The company was extremely quick to fix the bug according to Kamil, fixing the flaw in a matter of hours. The coder further described how harmful the vulnerability was, stating that:
Although it was an early Saturday's (sic) morning in San Francisco when I reported [the] issue, Google's security team replied very fast, since this vulnerability could create utter havoc in a matter of minutes in the bad hands.
This vulnerability [might have been used] to extort people or simply disrupt YouTube by deleting massive amounts of videos in a very short period of time.
It was fixed in several hours, Google rewarded me $5,000 and luckily no Bieber videos were harmed.
A $5000 reward for such a major flaw in the security system sounds a bit low coming from a company like Google given that Facebook previously gave $12,500 to a security researcher for discovering a similar bug. However, this can be explained by the fact that Kamil had been given a $1337 payment by the company before; a grant offered to security researchers who regularly report on vulnerabilities. Even if researchers are unable to discover any more flaws in the security system, they retain the initial amount while also voluntarily placing a cap on any bounties they might receive from the firm in the future.
Source: Kamil Hismatullin (Blog) via The BBC |Image via 6erock
17 Comments - Add comment