Jump to content
seboo00111

Security flaw gave researcher the power to erase every video on YouTube

Recommended Posts



Today's tale of apocalyptic internet near-misses comes from software developer Kamil Hismatullin, who discovered a security flaw in YouTube that allowed him to delete any video he wanted—or all of them, if he so desired. Fortunately, he did not so desire (although he apparently had some thoughts about doing a number on Justin Bieber's channel), and instead he reported the bug to Google and collected a $5000 reward.
The discovery stemmed from Google's launch of Vulnerability Research Grants in January, through which it offers monetary grants to "top performing, frequent vulnerability researchers" in exchange for research into potential weaknesses of specific applications. The idea is to provide an incentive to researchers to find and report bugs and security flaws, so Google can fix them as quickly as possible.
In February, Hismatullin was selected for a $1337 grant, and opted to dig into YouTube Creator Studio. After six or seven hours of research, he "unexpectedly discovered a logical bug that let me delete any video on YouTube with just one following request." His explanation of the flaw goes over my head, but it seems like it was fairly simple to perform. He also posted a video (on YouTube, amusingly) showing the exploit in action.
"Although it was an early Saturday's morning in SF when I reported issue, Google sec team replied very fast, since this vuln could create utter havoc in a matter of minutes in the bad hands who can used this vulnerability to extort people or simply disrupt YouTube by deleting massive amounts of videos in a very short period of time," he wrote. "It was fixed in several hours, Google rewarded me $5k and luckily no Bieber videos were harmed :D"
A YouTube representative has confirmed that Hismatullin's report is legitimate. And that, folks, is what we call a close one. Imagine if the world had lost such treasures as
?

source

PS: ce ziceti? se merita 5K pentru un bug care putea sa ii bage "teoretic" in faliment?(Putin probabil zic eu, si-ar fi dat seama repede)
Link to comment
Share on other sites

Probabil i-au dat 5000$ pentru ca problema a fost descoperita in timpul grant-ului!

Grantul puteti sa il vedeti ca un pentest. Din cate stiu, google nu te plateste pe cate bug-uri gasesti sau cat de grave sunt.

Daca la sfarsitul grantului nu gasesti nici o problema, tu tot iti iei banii!

I-au dat 5000$ ca sa nu descurajeze programul de grant research!

Link to comment
Share on other sites

Dupa parerea mea nu este nici un bug si nici n-a fost pentru ca el a sters materialul lui, nu al altuia, iar avand in vedere ca era autentificat pe youtube si token-ul era propagat corect, request-ul a functionat.

Prin urmare daca incerca sa stearga un material care nu-i apartinea cu siguranta comanda nu functiona.Poate gresesc dar la prima vedere pentru mine este fals acest bug, iar baiatul daca a primit acea suma de bani a fost pentru ca era abonat la acel program.

Edited by Erase
Link to comment
Share on other sites

Dupa parerea mea nu este nici un bug si nici n-a fost pentru ca el a sters materialul lui, nu al altuia, iar avand in vedere ca era autentificat pe youtube si token-ul era propagat corect, request-ul a functionat.

Prin urmare daca incerca sa stearga un material care nu-i apartinea cu siguranta comanda nu functiona.Poate gresesc dar la prima vedere pentru mine este fals acest bug, iar baiatul daca a primit acea suma de bani a fost pentru ca era abonat la acel program.

Eu din cate vad este chiar foarte valid. El nu era autentificat cu utilizatorul care avea drepturi asupra acelui video.

Link to comment
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.



×
×
  • Create New...