Thursday, April 2, 2015

How hackers Could Delete any YouTube video with just One Click

A security researcher has discovered a simple but critical vulnerability in Google-owned YouTube that could be exploited by anyone to knock down the whole business of the popular video sharing website.


Kamil Hismatullin, a Russian security bod, found a simple logical vulnerability that allowed him to delete any video from YouTube in one shot.
 ( https://www.youtube.com/watch?t=24&v=NarxB7NG6e0)

While looking for Cross-Site Scripting (XSS) or Cross-Site Request Forgery (CSRF) flaws in YouTube Creator STudio, Hismatullin came across a simple logical bug that could wipe any video by just sending an identity number of any video in a post request against any session token.

The bug was simple but critical as it could be exploited by an attecker to fool YouTube easily into deleting any video on its system.

"I've fought the urge to (delete) Bieber's channel," Hismatullin wrote in his blog post "Luckily no Bieber videos were harmed "

Citing the consequences of the issue, Hismatullin said "this vulnerability could create havoc in a matter of minutes in (Attackers') hands who could extort people or (just) disrupt YouTube by deleting massive amounts of videos in a very short period of time. "

The researcher reported the bug to Google, and the search engine giant fixed the issue within several hours.
Hismatullin won $5,000 cash reward from Google for finding and reporting the critical issue and an extra $1337 under the company's pre-emptive vulnerability payment scheme.

Over a month ago, a similar bug was reported in Facebook's own system taht could have exploited by attackers to delete any photo form anyone's Facebook account. However, the social networking giant fixed the ralatively simple issue.

No comments:

Post a Comment