YouTube fixes bug that could’ve allowed hacker to delete any video
Just think of a world where Justin Bieber didn’t exist on YouTube.
From encrypted instant messengers to secure browsers and operating systems, thees privacy-enhancing apps, extensions, and services can protect you both online and offline.
Now think of someone pocketing $5,000 after alerting Google to a bug that allowed a hacker to delete any Bieber video on the site?
That’s “responsible” disclosure. But we can still dream of a quiet, Bieberless world.
Security researcher Kamil Hismatullin received the top-tier reward after he reported to the company how he could delete any video by spoofing the site into thinking he owned a video.
After hunting for cross-site scripting flaws, he stumbled upon a logical bug that allowed him to delete videos by entering a video ID against any session token.
By all accounts, it’s a relatively simple bug to find, and to exploit.
Google’s security team fixed the bug that day, and granted Hismatullin the four-figure sum shortly after for his disclosure.
A similar bug appeared in Facebook’s own systems a few weeks ago, one that was also promptly fixed. A relatively simple bugcould’ve allowed a hacker or malicious actor to delete any photo on the social networking site.