Naked Security reports that security researcher Kamil Hismatullin had been looking around Google services in the hope of finding cross-site request forgery or cross-site scripting issues. These potentially serious vulnerabilities paled dramatically in contrast with what he stumbled across, though.
A major flaw in the YouTube API, used by other applications such as third-party YouTube apps to gain access to the site, meant that he had found a way to delete every single video on YouTube with one simple, small request to the Google servers powering the site.
Alternatively, the flaw could be exploited to delete a specific video by sending its identity number in a POST request. POST is a form of HTTP request usually sent by web browsers and other applications on the internet to get data from web servers; the data sent is invisible to the user of the application, unlike GET, which is sent via the address bar.
The YouTube servers accepted any access token as authentication so Hismatullin found that his simple POST request could delete any video on the site. If he left the video identity number blank, every single video ever uploaded to YouTube would have been removed.
Hismatullin reported the bug to Google who apparently moved with incredible speed to fix it within a few hours, despite it being a Saturday morning. Instead of deleting everything, he uploaded a video to YouTube explaining what he had discovered.
Hismatullin is a member of Google’s new experimental security research program, Vulnerability Research Grants. He received a $5,000 payout from the program, saying “It was fixed in several hours, Google rewarded me $5k and luckily no Bieber videos were harmed.”
