Security Experts:

YouTube Flaw Allowed Removal of Any Video: Researcher

A researcher has identified a vulnerability in YouTube that could have been exploited by an attacker to delete any video from the Google-owned video sharing website.

The issue was discovered over the weekend by Russia-based security researcher Kamil Hismatullin. The expert, who has reported several flaws to Google, decided to analyze YouTube Creator Studio after being awarded $1,337 as part of the search giant’s recently introduced Vulnerability Research Grants program.

In a blog post published on Tuesday, Hismatullin explained that he was looking for cross-site scripting (XSS) and cross-site request forgery (CSRF) vulnerabilities when he identified a logical bug that allowed him to remove any video from YouTube with the following POST request:

https://www.youtube.com/live_events_edit_status_ajax?action_delete_live_event=1

The request must include a session token, which is available in the page’s source code, and the ID of the video that is being deleted, a string that can be found in the video’s URL. The researcher has published a proof-of-concept video to demonstrate his findings.

Google addressed the vulnerability just hours after it was reported by Hismatullin. The researcher was awarded $5,000 for his findings, which is the maximum reward for logic flaws that lead to bypassing significant security controls in normal Google applications.

Related: Researcher Gets $5000 for XSS Flaw in Google Apps Admin Console

Related: Email Spoofing Flaw Found in Google Admin Console

view counter
Eduard Kovacs (@EduardKovacs) is a contributing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.