A researcher has identified a vulnerability in YouTube that could have been exploited by an attacker to delete any video from the Google-owned video sharing website.
The issue was discovered over the weekend by Russia-based security researcher Kamil Hismatullin. The expert, who has reported several flaws to Google, decided to analyze YouTube Creator Studio after being awarded $1,337 as part of the search giant’s recently introduced Vulnerability Research Grants program.
In a blog post published on Tuesday, Hismatullin explained that he was looking for cross-site scripting (XSS) and cross-site request forgery (CSRF) vulnerabilities when he identified a logical bug that allowed him to remove any video from YouTube with the following POST request:
https://www.youtube.com/live_events_edit_status_ajax?action_delete_live_event=1
The request must include a session token, which is available in the page’s source code, and the ID of the video that is being deleted, a string that can be found in the video’s URL. The researcher has published a proof-of-concept video to demonstrate his findings.
Google addressed the vulnerability just hours after it was reported by Hismatullin. The researcher was awarded $5,000 for his findings, which is the maximum reward for logic flaws that lead to bypassing significant security controls in normal Google applications.
Related: Researcher Gets $5000 for XSS Flaw in Google Apps Admin Console
