YouTuber Discovers Method to Delete Other People’s Clips

A Russian coder has talked about a method he discovered that let him delete any video from YouTube. Kamil Hismatullin developed a technique that allowed him to remove clips from YouTube using part of their web address. He said that the process of removing a clip took just half a minute. Hismatullin decided to report to the hack to YouTube owner Google instead of exploiting it, although he did joke that he was tempted to wipe Justin Bieber’s channel from the service.
Hismatullin said Google replied to him in a swift manner because of the hack’s potential. He was awarded $5,000 for reporting the hack, which he discovered whilst exploring YouTube Creator Studio, a tool that allows uploaders to see data about clips they have uploaded. The hack exploited the event ID and authentication token. The coder realised that the service as accepting any token rather than asking for one that belonged to the video uploader. This meant that Mr. Hismatillin was able to copy a token from his own account to delete other people’s videos.
He had been given a $1,337 grant to hunt out flaws in Google’s products. Mr. Hismatullin did express disappointment about the figure he was rewarded for discovering the hack before learning that the company’s rules meant it couldn’t pay more.
– See more at: