YouTube bug that allowed hacker to delete any video fixed by Google

Bieber haters would love this! Imagine a world with Bieber less videos and imagine a bug which could do that. Security researcher Kamil Hismatullin discovered a simple yet powerful bug in YouTube which let him delete any video by making it think he owned the video.

Kamil was invited with a grant of $1337.00 to take part in Google Vulnerability Research Grants which he accepted and decided to take a look at the security of Google products.

He was working with the YouTube Creative Studio when he found out that a logical bug that allowed him to delete any video by entering a video ID against any session token.



event_id: ANY_VIDEO_ID
session_token: YOUR_TOKEN
Response :

 "success": 1

Being a Bieber fan, he wanted to try out his new found exploit by deleting one of Justin Bieber’s videos posted YouTube. Being a gentleman, Kamil didnt do that and instead reported the bug to Google who acknowledged the severity of the but and awarded him $5,000.00.

Here is a PoC video published by Kamil

And yes, Google has fixed the flaw so you cant have a Bieberless world at least for now.


Please enter your comment!
Please enter your name here