YouTube fixes bug that could've allowed hacker to delete any video

The security researcher sadly did not wipe out years of videos by Justin Bieber, leaving the world in the horrid, uncultured state that it is.

(Screenshot: ZDNet/YouTube)

Just think of a world where Justin Bieber didn't exist on YouTube.

13 best privacy tools for staying secure

From encrypted instant messengers to secure browsers and operating systems, these privacy-enhancing apps, extensions, and services can protect you both online and offline.

Read More

Now think of someone pocketing $5,000 after alerting Google to a bug that allowed a hacker to delete any Bieber video on the site?

That's "responsible" disclosure. But we can still dream of a quiet, Bieberless world.

Security researcher Kamil Hismatullin received the top-tier reward after he reported to the company how he could delete any video by spoofing the site into thinking he owned a video.

After hunting for cross-site scripting flaws, he stumbled upon a logical bug that allowed him to delete videos by entering a video ID against any session token.

By all accounts, it's a relatively simple bug to find, and to exploit.

Google's security team fixed the bug that day, and granted Hismatullin the four-figure sum shortly after for his disclosure.

A similar bug appeared in Facebook's own systems a few weeks ago, one that was also promptly fixed. A relatively simple bug could've allowed a hacker or malicious actor to delete any photo on the social networking site.

Newsletters

You have been successfully signed up. To sign up for more newsletters or to manage your account, visit the Newsletter Subscription Center.
See All
See All