Google fixes YouTube bug that allowed hackers to delete any video

YouTube bug that allowed hacker to delete any video fixed by Google

Bieber haters would love this! Imagine a world with Bieber less videos and imagine a bug which could do that. Security researcher Kamil Hismatullin discovered a simple yet powerful bug in YouTube which let him delete any video by making it think he owned the video.

Kamil was invited with a grant of $1337.00 to take part in Google Vulnerability Research Grants which he accepted and decided to take a look at the security of Google products.

He was working with the YouTube Creative Studio when he found out that a logical bug that allowed him to delete any video by entering a video ID against any session token.

PoC

POST https://www.youtube.com/live_events_edit_status_ajax?action_delete_live_event=1

event_id: ANY_VIDEO_ID
session_token: YOUR_TOKEN
Response :

{
 "success": 1
}

Being a Bieber fan, he wanted to try out his new found exploit by deleting one of Justin Bieber’s videos posted YouTube. Being a gentleman, Kamil didnt do that and instead reported the bug to Google who acknowledged the severity of the but and awarded him $5,000.00.

Here is a PoC video published by Kamil

And yes, Google has fixed the flaw so you cant have a Bieberless world at least for now.