Some powers are so terrible and vast that they should be denied to humankind, for we would not know how to wield them responsibly. For example: Kamil Hismatullin, a Russian hacker and security tinkerer, briefly had the ability to delete everything on YouTube.

Smart tech firms like Google and Facebook routinely pay hackers and miscellaneous security geeks to find (and report) security flaws. This way, companies can plug the holes before someone less scrupulous can use them to mess with our data online. It’s a good system, and as Hismatullin, one such geek, details in a personal blog post, he recently landed a whopper: the ability to instantly delete any video on YouTube. All it took was sending a very, very short string of text to the site, and no matter whose video you’d targeted, it’d vanish as if the owner himself had trashed it.

He uploaded a video of the attack in action, if you’re curious:

What’s more surprising than the fact that it only took Hismatullin several hours to find this vulnerability is that he didn’t go wild with power, insane with cyberstrength and video bloodlust. He could’ve nuked Gangnam Style and its 2.2 billion views. He could’ve erased Rickroll, Rihanna, Macklemore, Minecraft, and Charlie Bit My Finger. Surely he could’ve automated the process and just wiped YouTube into a big vacuum. No more videos, no more Kimmel Pranks, no more content. He could have been a God. We would’ve submitted to him, given him our clothes and coins and fealty. But instead he handed it all over to Google for a $5,000 bounty, which really seems very low!

In general I spent 6-7 hours to research, considering that couple of hours I’ve fought the urge to clean up Bieber’s channel haha.

Although it was an early Saturday’s morning in SF when I reported issue, Google sec team replied very fast, since this vuln could create utter havoc in a matter of minutes in the bad hands who can used this vulnerability to extort people or simply disrupt YouTube by deleting massive amounts of videos in a very short period of time. It was fixed in several hours, Google rewarded me $5k and luckily no Bieber videos were harmed :D

Already in the comments, he’s realized he got lowballed: “Yes, I agree with you, this bug is worth more than $5k. To be honest I expected $15k-$20k.”


Contact the author at biddle@gawker.com.

Public PGP key
PGP fingerprint: E93A 40D1 FA38 4B2B 1477 C855 3DEA F030 F340 E2C7