Kamil Hismatullin, a Russian security bod, found a simple logical vulnerability that allowed him to delete any video from YouTube in one shot.
While looking for Cross-Site Scripting (XSS) or Cross-Site Request Forgery (CSRF) flaws in YouTube Creator Studio, Hismatullin came across a simple logical bug that could wipe up any video by just sending an identity number of any video in a post request against any session token.
Learn Insider Threat Detection with Application Response Strategies
Discover how application detection, response, and automated behavior modeling can revolutionize your defense against insider threats.Join Now
The bug was simple but critical as it could be exploited by an attacker to fool YouTube easily into deleting any video on its system.
"I've fought the urge to [delete] Bieber's channel," Hismatullin wrote in his blog post. "Luckily no Bieber videos were harmed."
Citing the consequences of the issue, Hismatullin said "this vulnerability could create utter havoc in a matter of minutes in [attackers'] hands who could extort people or [just] disrupt YouTube by deleting massive amounts of videos in a very short period of time."
The researcher reported the bug to Google, and the search engine giant fixed the issue within several hours. Hismatullin won $5,000 cash reward from Google for finding and reporting the critical issue and an extra $1337 under the company's pre-emptive vulnerability payment scheme.
Over a month ago, a similar bug was reported in Facebook's own systems that could have exploited by attackers to delete any photo from anyone's Facebook account. However, the social networking giant fixed the relatively simple issue.