White hat found YouTube any video remove the vulnerability, the Google award 5 0 0 0 $ -bug-warning-the black bar safety net

ID MYHACK58:62201560733
Type myhack58
Reporter 佚名
Modified 2015-04-04T00:00:00


Russian security researcher Kamil Hismatullin recently found YouTube there is a logical vulnerability by the vulnerability, users can delete the YouTube of any video. In the vulnerabilities submitted to the official after Hismatullin get Google 5 0 0 0 $ bonus. FreeBuf science: a Google vulnerability research grant program A few months ago, Google announced a vulnerability research grants program Vulnerability Research Grants to. They pick up some security researchers and mail them to: ! Researchers can select items in the list for vulnerability detection. Even if no vulnerability was found, researchers will still be due to pay the effort and time to obtain 1 3 3 7 $ bonus. YouTube video arbitrary delete vulnerability Looking for the YouTube Creator Studio cross-site scriptXSS and cross-site request forgery(CSRF)vulnerabilities, Hismatullin stumbled upon a can delete any of the video logic of the vulnerability, an attacker simply for any session token sends a any of the video identification code can delete this video. In other words, the attacker can use this vulnerability to easily remove any YouTube video. Hismatullin will themselves exploit the vulnerability to remove the YouTube video of the process recorded down, spread to YouTube, entitled“look at me how to delete any YouTube video.” ! Google award 5 0 0 0 dollars, U.S. netizens feel a little less Hismatullin the exploits submitted to Google company, YouTube is also Google's WEB Site after the search giant only a few hours from the problem-solving, while giving a Hismatullin 5 0 0 0 $ vulnerability rewards. Friends are indignant:“he should get 1 0 0 0 0 0 $ it!!!” It was also rational analysis: not everyone has the hacking skills, so this vulnerability does not damage to the deeper interests. Faced with a variety of arguments, Hismatullin and generous response: “Security research is my hobby, I like to do I now do, regardless of reward is much.” It is worth mentioning that a few months ago, an Indian researcher found that Facebook's system, a similar vulnerability, an attacker can exploit the vulnerability from anyone's Facebook account, feel free to delete the photo.