Google gave a $5,000 reward to a Russian coder who discovered a vulnerability in YouTube that would allow him to delete any video on the website in just a few seconds.
The 21-year-old Kamil Hismatullin, through a blog post, demonstrated that once he copies a part of the web address of a video, he could use the vulnerability to delete the video file within half a minute.
"In general, I spent six to seven hours to research, considering that [for a] couple of hours I've fought the urge to clean up Bieber's channel. Haha," Hismatullin wrote, revealing his temptation to wipe out the music videos of Canadian pop star Justin Bieber.
According to Hismatullin, the flaw could be exploited and could cause havoc in a short amount of time by extorting people or simply disrupting YouTube by taking down a massive number of videos over a short period of time.
However, instead of exploiting the flaw, Hismatullin decided to report it to Google.
Hismatullin reported the issue to Google in the early morning of April 4 in San Francisco, adding that he was surprised by the fast reply of the security team of Google. The vulnerability was then fixed after several hours then Google offered him the reward of $5,000.
According to the Russian coder, the issue was discovered while he was examining the YouTube Creator Studio, which is a service that allows video creators to study analytics data regarding the videos that they have uploaded to YouTube through an app.
The vulnerability was accessed by using the event ID of a video, which can be found in the web address, and an authentication token, which is a lengthy string made up of numbers and letters serving as a sort of password.
Hismatullin discovered that the service accepted all kinds of tokens for a request to delete a video, as opposed to requiring one owned by the user who uploaded the video. This means that a hacker exploiting the issue could use authentication tokens owned by somebody else to delete the videos of other users.
Hismatullin previously received a $1,337 grant from Google as part of a program that encouraged people to search for flaws in Google's products. The coder's examination of the YouTube Creator Studio was driven by the grant.
In the comments section of his blog post, Hismatullin wrote that he initially expected a higher reward than the $5,000 that he received, somewhere in the range of $15,000 to $20,000. However, after reading Google's rules, Hismatullin found that $5,000 was really the maximum reward he would receive for his reported vulnerability.
Photo: Andrew Perry | Flickr