Student and security researcher Kamil Hismatullin recently took Google up on its vulnerability research grant offer, accepting a $1337 cash advance in exchange for a promise to seek out cross-site scripting and cross-site request forgery bugs in YouTube’s Creator Studio. While conducting that research, Hismatullin discovered that he could delete literally any video uploaded on Google’s massively popular streaming service.
In addition to the grant money, Google paid Hismatullin $5,000 in bug bounty cash, which is a relatively small price considering the scope and potential impact of the bug in question.
About Vulnerability Research Grants and a little story how I could delete any video on YouTube http://t.co/rqcU9XH1aV pic.twitter.com/cM4tKogSoH
— Kamil Hismatullin (@kamil_hism) March 31, 2015
Hisnmatulling demonstrates his exploitation of this vulnerability, described as a “logical bug,” in a proof-of-concept video uploaded, ironically enough, to YouTube. The researcher logs into Creator Studio and enters the URL of the video he’d like to delete into the POST field. He then copies the ‘event_id’ value out of the video’s URL and the ‘session_token’ out of the video’s HTML source code into the ‘form-data’ fields in the Creator Studio. Once he sends the POST request, there is a response saying “success” and the video is said to have been removed by the user if someone tries to watch it.
[youtube https://www.youtube.com/watch?v=NarxB7NG6e0&w=420&h=315]
The researcher says he spent around seven hours finding the bug. When he reported it to Google, early on a Saturday morning, the company issued a quick response and fixed the bug within a few hours. Despite that, Hismatullin claims the company asked him to refrain from publishing the details of the bug for a couple weeks, while ensured the problem was fully resolved.
Threatpost reached out to Google for confirmation but it did not respond to our request for comment before the time of publication.
Google added up-front research grants to its bug bounty program in early February. The new program offers as much as $3133.70 to researchers who have worked on bug bounties in the past. The payment is for the performance of vulnerability research and researchers are paid in advance regardless of whether they discover bugs or not.