Skip to main content

Security flaw gave researcher the power to erase every video on YouTube

YouTube face
Audio player loading…

Today's tale of apocalyptic internet near-misses comes from software developer Kamil Hismatullin, who discovered a security flaw in YouTube that allowed him to delete any video he wanted—or all of them, if he so desired. Fortunately, he did not so desire (although he apparently had some thoughts about doing a number on Justin Bieber's channel), and instead he reported the bug to Google and collected a $5000 reward.

The discovery stemmed from Google's launch of Vulnerability Research Grants in January, through which it offers monetary grants to "top performing, frequent vulnerability researchers" in exchange for research into potential weaknesses of specific applications. The idea is to provide an incentive to researchers to find and report bugs and security flaws, so Google can fix them as quickly as possible.

In February, Hismatullin was selected for a $1337 grant, and opted to dig into YouTube Creator Studio. After six or seven hours of research, he "unexpectedly discovered a logical bug that let me delete any video on YouTube with just one following request." His explanation of the flaw goes over my head, but it seems like it was fairly simple to perform. He also posted a video (on YouTube, amusingly) showing the exploit in action.

"Although it was an early Saturday's morning in SF when I reported issue, Google sec team replied very fast, since this vuln could create utter havoc in a matter of minutes in the bad hands who can used this vulnerability to extort people or simply disrupt YouTube by deleting massive amounts of videos in a very short period of time," he wrote. "It was fixed in several hours, Google rewarded me $5k and luckily no Bieber videos were harmed :D"

A YouTube representative has confirmed that Hismatullin's report is legitimate. And that, folks, is what we call a close one. Imagine if the world had lost such treasures as this?

(Thanks, Gawker (opens in new tab).)

Andy has been gaming on PCs from the very beginning, starting as a youngster with text adventures and primitive action games on a cassette-based TRS80. From there he graduated to the glory days of Sierra Online adventures and Microprose sims, ran a local BBS, learned how to build PCs, and developed a longstanding love of RPGs, immersive sims, and shooters. He began writing videogame news in 2007 for The Escapist and somehow managed to avoid getting fired until 2014, when he joined the storied ranks of PC Gamer. He covers all aspects of the industry, from new game announcements and patch notes to legal disputes, Twitch beefs, esports, and Henry Cavill. Lots of Henry Cavill.