Remote Deletion of Youtube Videos fixed for $5000

A security bug that allowed a malicious user to delete any video in Youtube had been fixed by Google and rewarded $5000 as part of its vulnerability reward program.

Russian security researcher named Kamil Hismatullin detailed on his blog of how he ended up finding the bug.

“In YouTube Creator Studio I investigated how live_events/broadcasting systems works,” Kamil said.

He then added, “I wanted to find there some CSRF or XSS issues, but unexpectedly discovered a logical bug that let me to delete any video.”

The Security Bug

As mentioned by the expert, a malicious user just needed to run a simple POST request which has 2 parameters, session_token and event_id. The latter is considered the Youtube video to be deleted.

POST https://www.youtube.com/live_events_edit_status_ajax?action_delete_live_event=1

event_id: ANY_VIDEO_ID
session_token: YOUR_TOKEN

The event_id can be any other existing video in Youtube while session_token is your current session making the exploitation of the now fixed bug really easy.

Ethical

Since Kamil practices ethical hacking, he did responsibly reported the bug directly to Google and got the highest bounty for significant authentication bypass – $5000.

Google pushed a fixed within several hours since his report.