Ο ερευνητής ασφαλείας Kamil Hismatullin αποκάλυψε μια απλή μέθοδο για να διαγράψετε οποιοδήποτε video από το YouTube. Φυσικά η Google προχώρησε στην άμεση επιδιόρθωση του σφάλματος που επέτρεπε την πλήρη διαγραφή του YοuTube, αλλιώς δεν θα μπορούσαμε να το δημοσιεύσουμε…
Russian programmer and hacker found he can delete any YouTube video just by sending the number identity of the video in a POST request along with the hacker user token.
POST https://www.youtube.com/live_events_edit_status_ajax?action_delete_live_event=1
event_id: ANY_VIDEO_ID
session_token: YOUR_TOKEN
Google, as usual in such cases, rewarded the researcher with 5000 dollars.
"I wanted to see if there were any vulnerabilities CSRF or XSS, but I unexpectedly discovered a bug that allowed me to delete any YouTube video with a single request," he says Hismatullin.
"... This vulnerability could create utter disaster in a matter of minutes in the hands of a hacker, as it could delete videos from YouTube very quickly"
Hismatullin also mentions that Google responded immediately (the company is known for fixing bugs right away, not like some others....we don't name or show Apple and Microsoft) after reporting the bug and proceeded to fix it of.
The researcher also reports that he quite resisted the urge to "delete Bieber's channel".
With you Kamil!