There was a flaw in YouTube that allowed removal of any video

Pierluigi Paganini April 01, 2015

A Russian researcher has discovered a critical vulnerability in YouTube that could have been exploited by a hacker to delete any video from the website.

The Russian security researcher Kamil Hismatullin has discovered a critical flaw in YouTube that could be exploited by attackers to delete any video the popular video sharing service.

The bug hunter is not new to these discoveries, he reported several flaws to Google in the past, he was awarded $1,337 as part of the company bounty program known as “Vulnerability Research Grants” program. The goal of the Google program is to invite experts and hacker to analyze the level of security for Google products and services, including YouTube.

Hismatullin spent part of his time in analyzing YouTube Creator Studio, he was looking for cross-site scripting (XSS) and cross-site request forgery (CSRF) fleas when he discovered a logical bug that allowed him to remove any video from YouTube using a simple POST request.

youtube delete video

" ... unexpectedly discovered a logical bug that let me to delete any video on YouTube with just one following request:
POST https://www.youtube.com/live_events_edit_status_ajax?action_delete_live_event=1

event_id: ANY_VIDEO_ID
session_token: YOUR_TOKEN
In response I got:
{
  "success": 1
}
And the video got deleted!

States a blog post published by the expert that includes also a video PoC.

Giving a look to the POST request it is possible to note that it includes a session token, which is available in the page’s source code, and of course the ID of the video, included in the URL of the video that the we want to delete.

Google as fixed the flaw in YouTube a few hours after Hismatullin reported it to the IT giant, he was also awarded $5,000 for his discovery. Google recognized that the flaw was really serious so it awarded the maximum amount of money reserved for the logic flaws that lead to bypassing significant security controls in normal Google applications.

Pierluigi Paganini

(Security Affairs –  Youtube,   hacking)



you might also like

leave a comment