Under a Google initiative for the exploration of researching the security of its products, 22-year-old Kamil Hismatullin discovered a logical bug with the company’s YouTube Creator Studio. This particular facet of YouTube acts as a service that allows creators to view the analytics about videos they have uploaded.
This bug involves using the “delete_live_event” keywords with the ID of a YouTube video. YouTube would not actually check whether or not the account owner of a particular video was making the request and go ahead with deleting the desired item.
More specifically, the event ID of the YouTube video (found in its web address) and its authentication token (which acts as a password) could both be easily accessed and taken as input for the delete request. Creator Studio accepted any account’s takedown request token, meaning a user could copy this token from his or her own account and use it with another’s video information. Supposedly this process could “wipe the clip within half a minute” according to the BBC News’ report on Hasmatullin’s find.
Hismatullin claims he “spent six to seven hours [on] research, considering that [for a] couple of hours [he] fought the urge to clean up [Justin] Bieber’s channel.” Nonetheless, Bieber’s videos remain safe and the Google security team met his Saturday morning report with a swift response.
Although left unexploited, the vulnerability had the potential to cause mass disruption across YouTube by deleting a myriad of videos in minutes. For his efforts, Google awarded Hismatullin an extra $5,000 to the initial amount they pay those offered the Google research initiative. Reportedly he expected more along the lines of $15,000 or even $20,000 for the discovery of such a vulnerability, but could not complain based on the guidelines Google had created for rewarding such finds.
[Sample e-mail taken from Hismatullin’s website.]
This Google initiative is specifically called Vulnerability Research Grants. Announced a few months back, Google’s Security team sends e-mail invitations to selected reporters who regularly report security flaws. They are given the option to choose between various Google services and look into one, receiving a base grant and a potential reward for uncovering any issues.
– Misha (Melissa Belisle)