A Russian coder has revealed how he discovered a way to delete any video on YouTube.
According to a demonstration of Kamil Hismatullin’s technique, he could copy part of a video’s web address and use it to wipe the clip within half a minute. Rather than exploit the hack, he instead reported it to parent company Google, which rewarded him with a $5,000 bug bounty.
“Although it was an early Saturday’s (sic) morning in San Francisco when I reported [the] issue, Google’s security team replied very fast, since this vulnerability could create utter havoc in a matter of minutes in the bad hands,” he said. “This vulnerability [might have been used] to extort people or simply disrupt YouTube by deleting massive amounts of videos in a very short period of time.
Hismatullin wrote that he discovered the flaw while investigating YouTube Creator Studio, a service that lets video creators see analytics data about the clips they have uploaded via an app.