Pierluigi Paganini
April 01, 2015
The Russian security researcher Kamil Hismatullin has discovered a critical flaw in YouTube that could be exploited by attackers to delete any video the popular video sharing service.
The bug hunter is not new to these discoveries, he reported several flaws to Google in the past, he was awarded $1,337 as part of the company bounty program known as “Vulnerability Research Grants” program. The goal of the Google program is to invite experts and hacker to analyze the level of security for Google products and services, including YouTube.
Hismatullin spent part of his time in analyzing YouTube Creator Studio, he was looking for cross-site scripting (XSS) and cross-site request forgery (CSRF) fleas when he discovered a logical bug that allowed him to remove any video from YouTube using a simple POST request.
" ... unexpectedly discovered a logical bug that let me to delete any video on YouTube with just one following request:
POST https://www.youtube.com/live_events_edit_status_ajax?action_delete_live_event=1
event_id: ANY_VIDEO_ID
session_token: YOUR_TOKEN
In response I got:
{
"success": 1
}
And the video got deleted!
States a blog post published by the expert that includes also a video PoC.
Giving a look to the POST request it is possible to note that it includes a session token, which is available in the page’s source code, and of course the ID of the video, included in the URL of the video that the we want to delete.
Google as fixed the flaw in YouTube a few hours after Hismatullin reported it to the IT giant, he was also awarded $5,000 for his discovery. Google recognized that the flaw was really serious so it awarded the maximum amount of money reserved for the logic flaws that lead to bypassing significant security controls in normal Google applications.
(Security Affairs – Youtube, hacking)
