A security researcher has discovered a simple but critical vulnerability in Google-owned YouTube that could be exploited by anyone to knock down the whole business of the popular video sharing website.
Kamil
Hismatullin, a Russian security bod, found a simple logical vulnerability that
allowed him to delete any video from
YouTube in one shot.
While looking
for Cross-Site
Scripting (XSS) or Cross-Site
Request Forgery (CSRF) flaws in YouTube
Creator Studio, Hismatullin came across a simple logical bug that could wipe up
any video by just sending an identity number of any video in a post request
against any session token.
The bug was
simple but critical as it could be exploited by an attacker to fool YouTube
easily into deleting any video on its system.
"I've
fought the urge to [delete] Bieber's channel," Hismatullin wrote in his blog
post. "Luckily no Bieber videos were harmed."
Citing the
consequences of the issue, Hismatullin said "this vulnerability could
create utter havoc in a matter of minutes in [attackers'] hands who could
extort people or [just] disrupt YouTube by deleting massive amounts of videos
in a very short period of time."
The researcher
reported the bug to Google, and the search engine giant fixed the issue within
several hours. Hismatullin won $5,000
cash reward from Google for finding and reporting the critical issue and an
extra $1337 under the company’s pre-emptive vulnerability payment scheme.
Over a month
ago, a similar bug was reported in Facebook's own systems that could have
exploited by attackers to delete
any photo from anyone’s Facebook account. However, the social networking giant
fixed the relatively simple issue.
No comments:
Post a Comment