Google fixed a vulnerability that allowed any YouTube user to delete any video

South Korean rapper Psy’s “Gangnam Style,” the most-viewed video on YouTube, could have been history.
South Korean rapper Psy’s “Gangnam Style,” the most-viewed video on YouTube, could have been history.
Image: Reuters/Lee Jae-Won
We may earn a commission from links on this page.

Everybody makes mistakes. Google caught a big one before it was too late.

The tech giant fixed a giant vulnerability in YouTube that allowed any user to delete any video from the site by making the right request to the right URL. And yes, that really means any clip on YouTube—from viral-pop music videos to internet legends like “Charlie bit my finger.”

The security hole was discovered and reported March 28 by a software engineer and security researcher named Kamil Hismatullin, and fixed several hours later by Google engineers. Apparently, no attackers were able to maliciously delete videos before the bug was squashed.

Hismatullin, who has previously discovered bugs in Google, Github, and the chat application HipChat, according to his LinkedIn profile, published a blog post on March 31 explaining the exploit. Google confirmed the details of his post to Quartz.

Hismatullin had been investigating YouTube’s security as part of Google’s Vulnerability Research Grant program, in which the company pays talented good-guy hackers to try to find security flaws before the bad guys do. Vulnerability Research Grants are a twist on the bug bounty programs that have become popular with tech companies in recent years.

The goal of bug bounties is to reward hackers for alerting tech companies to security flaws discreetly, rather than exploiting or publicizing the bugs. In recent years, Google and Microsoft have paid individual bug bounties of over $100,000.

Hismatullin wasn’t as lucky. He was initially given $1,337 just to look (in general, these grants range from $500 to $3,133.70) and then received an additional $5,000 after reporting the gaping hole.

Bug bounties aren’t established enough to know if Hismatulllin’s find merited more. But given the severity of the vulnerability, it seems like Google got a pretty good deal.