Mass chaos would ensue if the world woke up one morning to discover that every video on YouTube had been deleted and apparently, it almost happened. Due to a security flaw, the massive video sharing website was let open to destruction. In the hands of the wrong person, this could of been devastating. Fortunately, one computer researcher discovered the problem.
Software developer, Kamil Hismatullin was given a monetary grant by Google, who owns YouTube, to research the website for any potential bugs. After only six or seven hours of research, he discovered the security flaw.
“Although it was an early Saturday’s morning in SF when I reported issue, Google sec team replied very fast, since this vuln could create utter havoc in a matter of minutes in the bad hands who can used this vulnerability to extort people or simply disrupt YouTube by deleting massive amounts of videos in a very short period of time,” he wrote. “It was fixed in several hours, Google rewarded me $5k and luckily no Bieber videos were harmed :D”
While it was fairly simple for Hismatullin to access this ability, the explanation of to do it would confuse us simple folks.
The Vulnerabilty Research grants funded by Google are meant to help discover problems just like this. A major deletion of videos could have been a huge issue for the company. Kamil was awarded for his research and has written about it extensively on his blog. He also described how the grant program works and how he was chosen.
“Researcher selects product/service from the list and looks into the security of it. The goal of VRG is to support research looking for vulnerabilities, so even no vulnerability is found, researcher will receive reward for an attention and spent time. But if, as a result of the grant, vulnerabilities are found, then person will receive both reward for detected issues and a grant amount itself.”
“As a frequent google reporter, I’ve received the email above and decided to spend some time on weekends and look into the security of Google products. I selected YouTube Creator Studio as a target and after a few hours I composed two reports. One of them was about easily exploitable, but pretty high severity issue.”
He breaks down all the technical process, which you can read all about if that is your thing.