Russian security engineer Kamil Hismatullin discovered a serious security flaw in YouTube popular video sharing platform. The vulnerability allows hackers to delete any video from youtube without any authentication or permission for deleting the video, all he needed was video-id. He exploited the flaw by sending identity id of a video with post request and any token simple request like one below
event_id: “video id”
session_token: “your token numb.”
The tricky part is “delete_live_event” All he needed is to fill youtube video id, and youtube would delete it without checking if he is actually the owner of a certen video.
Kamil reported the vulnerability to Google bug bounty program, and for his research work Google rewarded him 5,000$ for finding the problem.
He made a joke to delete Justin Bieber youtube channel, but he didn’t realise that move would save humanity.