A programmer in Russia found an exploit in YouTube’s code that made it possible to delete forever absolutely any video uploaded to the website. The Kazan-based programmer, Kamil Hismatullin, revealed the discovery on his blog.
In a blog post titled “How I Could Delete Any Video on YouTube,” Hismatullin explained how he participated in new project called the Vulnerability Research Grants, which Google launched in January 2015 to encourage the security-research community to find bugs and vulnerabilities in its software.
Hismatullin focused on YouTube Creator Studio, which allows users to manage their “channels” on the website. The Creator Studio allows individuals to upload videos, monitor those videos’ traffic statistics, manage content, respond to comments, and so on.
Hismatullin discovered that it was possible to use the Creator Studio to delete any video on YouTube, using only his own unique “event_id” and “session_token.” Google apparently corrected the error within hours of Hismatullin’s discovery, awarding him $5,000 for the find.
In YouTube Creator Studio I investigated how live_events/broadcasting systems works. I wanted to find there some CSRF or XSS issues, but unexpectedly discovered a logical bug that let me to delete any video on YouTube. [...] It was fixed in several hours, Google rewarded me $5k and luckily no Bieber videos were harmed :D