Russian security researcher named Kamil Hismatullin detailed on his blog of how he ended up finding the bug.
“In YouTube Creator Studio I investigated how live_events/broadcasting systems works,” Kamil said.
He then added, “I wanted to find there some CSRF or XSS issues, but unexpectedly discovered a logical bug that let me to delete any video.”
The Security Bug
As mentioned by the expert, a malicious user just needed to run a simple POST request which has 2 parameters, session_token and event_id. The latter is considered the Youtube video to be deleted.
POST https://www.youtube.com/live_events_edit_status_ajax?action_delete_live_event=1 event_id: ANY_VIDEO_ID session_token: YOUR_TOKEN
The event_id can be any other existing video in Youtube while session_token is your current session making the exploitation of the now fixed bug really easy.
Since Kamil practices ethical hacking, he did responsibly reported the bug directly to Google and got the highest bounty for significant authentication bypass – $5000.
Google pushed a fixed within several hours since his report.