A security researcher identified a vulnerability in Google’s Application Programming Interface (API) that could have let him delete any and every video on YouTube.
Kamil Hismatullin restrained from exploiting the bug, and instead, reported it to Google this past weekend, Naked Security reported. Google patched the bug immediately and awarded Hismatullin $5,000 for the findings.
He could have deleted the videos by sending a video identity number in a post request along with any token. Naked Security wrote that a similar bug was recently found in Facebook that could have allowed an attacker to delete any photo.
Both bugs related to issues with access control.
Hismatullin already was one of the researchers participating in Google’s “Vulnerabilty Research Grants” program, which awards researchers up-front prior to them submitting a bug.
The maximum award amount allowed under the program rules is $5,000.