Today's tale of apocalyptic internet near-misses comes from software developer Kamil Hismatullin, who discovered a security flaw in YouTube that allowed him to delete any video he wanted—or all of them, if he so desired. Fortunately, he did not so desire (although he apparently had some thoughts about doing a number on Justin Bieber's channel), and instead he reported the bug to Google and collected a $5000 reward.
The discovery stemmed from Google's launch of Vulnerability Research Grants in January, through which it offers monetary grants to "top performing, frequent vulnerability researchers" in exchange for research into potential weaknesses of specific applications. The idea is to provide an incentive to researchers to find and report bugs and security flaws, so Google can fix them as quickly as possible.
In February, Hismatullin was selected for a $1337 grant, and opted to dig into YouTube Creator Studio. After six or seven hours of research, he "unexpectedly discovered a logical bug that let me delete any video on YouTube with just one following request." His explanation of the flaw goes over my head, but it seems like it was fairly simple to perform. He also posted a video (on YouTube, amusingly) showing the exploit in action.
"Although it was an early Saturday's morning in SF when I reported issue, Google sec team replied very fast, since this vuln could create utter havoc in a matter of minutes in the bad hands who can used this vulnerability to extort people or simply disrupt YouTube by deleting massive amounts of videos in a very short period of time," he wrote. "It was fixed in several hours, Google rewarded me $5k and luckily no Bieber videos were harmed :D"
A YouTube representative has confirmed that Hismatullin's report is legitimate. And that, folks, is what we call a close one. Imagine if the world had lost such treasures as this?
(Thanks, Gawker.)
