YouTube fixes bug that could've allowed hacker to delete any video

The security researcher sadly did not wipe out years of videos by Justin Bieber, leaving the world in the horrid, uncultured state that it is.
Written by Zack Whittaker, Contributor
(Screenshot: ZDNet/YouTube)

Just think of a world where Justin Bieber didn't exist on YouTube.

Now think of someone pocketing $5,000 after alerting Google to a bug that allowed a hacker to delete any Bieber video on the site?

That's "responsible" disclosure. But we can still dream of a quiet, Bieberless world.

Security researcher Kamil Hismatullin received the top-tier reward after he reported to the company how he could delete any video by spoofing the site into thinking he owned a video.

After hunting for cross-site scripting flaws, he stumbled upon a logical bug that allowed him to delete videos by entering a video ID against any session token.

By all accounts, it's a relatively simple bug to find, and to exploit.

Google's security team fixed the bug that day, and granted Hismatullin the four-figure sum shortly after for his disclosure.

A similar bug appeared in Facebook's own systems a few weeks ago, one that was also promptly fixed. A relatively simple bug could've allowed a hacker or malicious actor to delete any photo on the social networking site.

Editorial standards