seboo00111 Posted April 3, 2015 Report Posted April 3, 2015 Today's tale of apocalyptic internet near-misses comes from software developer Kamil Hismatullin, who discovered a security flaw in YouTube that allowed him to delete any video he wanted—or all of them, if he so desired. Fortunately, he did not so desire (although he apparently had some thoughts about doing a number on Justin Bieber's channel), and instead he reported the bug to Google and collected a $5000 reward.The discovery stemmed from Google's launch of Vulnerability Research Grants in January, through which it offers monetary grants to "top performing, frequent vulnerability researchers" in exchange for research into potential weaknesses of specific applications. The idea is to provide an incentive to researchers to find and report bugs and security flaws, so Google can fix them as quickly as possible. In February, Hismatullin was selected for a $1337 grant, and opted to dig into YouTube Creator Studio. After six or seven hours of research, he "unexpectedly discovered a logical bug that let me delete any video on YouTube with just one following request." His explanation of the flaw goes over my head, but it seems like it was fairly simple to perform. He also posted a video (on YouTube, amusingly) showing the exploit in action."Although it was an early Saturday's morning in SF when I reported issue, Google sec team replied very fast, since this vuln could create utter havoc in a matter of minutes in the bad hands who can used this vulnerability to extort people or simply disrupt YouTube by deleting massive amounts of videos in a very short period of time," he wrote. "It was fixed in several hours, Google rewarded me $5k and luckily no Bieber videos were harmed :D"A YouTube representative has confirmed that Hismatullin's report is legitimate. And that, folks, is what we call a close one. Imagine if the world had lost such treasures as ?sourcePS: ce ziceti? se merita 5K pentru un bug care putea sa ii bage "teoretic" in faliment?(Putin probabil zic eu, si-ar fi dat seama repede) Quote
SKYNET32 Posted April 3, 2015 Report Posted April 3, 2015 a mai fost postat https://rstforums.com/forum/99806-delete-video-youtube.rstOricum, prea putin a primit pt gravitatea bugului. Quote
mundy. Posted April 3, 2015 Report Posted April 3, 2015 5000$ e o nimica toata acolo, iar la noi in romania e pomana curata :troll Quote
mah_one Posted April 5, 2015 Report Posted April 5, 2015 Probabil i-au dat 5000$ pentru ca problema a fost descoperita in timpul grant-ului!Grantul puteti sa il vedeti ca un pentest. Din cate stiu, google nu te plateste pe cate bug-uri gasesti sau cat de grave sunt.Daca la sfarsitul grantului nu gasesti nici o problema, tu tot iti iei banii! I-au dat 5000$ ca sa nu descurajeze programul de grant research! Quote
Erase Posted April 7, 2015 Report Posted April 7, 2015 (edited) Dupa parerea mea nu este nici un bug si nici n-a fost pentru ca el a sters materialul lui, nu al altuia, iar avand in vedere ca era autentificat pe youtube si token-ul era propagat corect, request-ul a functionat.Prin urmare daca incerca sa stearga un material care nu-i apartinea cu siguranta comanda nu functiona.Poate gresesc dar la prima vedere pentru mine este fals acest bug, iar baiatul daca a primit acea suma de bani a fost pentru ca era abonat la acel program. Edited April 7, 2015 by Erase Quote
seboo00111 Posted April 7, 2015 Author Report Posted April 7, 2015 @SKYNET32. Scuze, chiar n-am stiut si ma mir cum de n-am observat din moment ce frecventez categoria. My bad inca odata. Quote
Gushterul Posted April 7, 2015 Report Posted April 7, 2015 Dupa parerea mea nu este nici un bug si nici n-a fost pentru ca el a sters materialul lui, nu al altuia, iar avand in vedere ca era autentificat pe youtube si token-ul era propagat corect, request-ul a functionat.Prin urmare daca incerca sa stearga un material care nu-i apartinea cu siguranta comanda nu functiona.Poate gresesc dar la prima vedere pentru mine este fals acest bug, iar baiatul daca a primit acea suma de bani a fost pentru ca era abonat la acel program.Eu din cate vad este chiar foarte valid. El nu era autentificat cu utilizatorul care avea drepturi asupra acelui video. Quote