Google Rewards Researcher $5K for Identifying YouTube Vulnerability

This article is a company-provided press release and ProgrammableWeb cannot vouch for the accuracy of the statements within. If you have questions regarding the information below, please contact the company that issued the press release.
 
 Imagine the power to remove any video from YouTube that you dislike. A Russian IT expert claims he was tempted to do just that with all the videos from Justin Bieber’s YouTube channel.

Kamil Hismatullin, a 22-year-old software developer and security researcher from Russia detected a major security flaw in YouTube code that could allow him to erase any video posted by anyone on YouTube regardless of the password and the encryption code.

Hismatullin, joked that he “fought the urge” to erase Justin Bieber's channel for a couple of hours, but chose instead to report the bug to Google.

It took about 7 hours to identify the vulnerability in Google's Application Programming Interface (API), Hismatullin said. He collected $5,000 for his research, the maximum award for this kind of discovery.

Hismatullin wrote on his blog that his decision to report the bug was not money driven, however, he understood that the bug could "create utter havoc in a matter of minutes in bad hands who [could have] used this vulnerability to extort people or simply disrupt YouTube by deleting massive amounts of videos in a very short period of time."

He said he was surprised at how quickly Google responded after he reported the bug.
"Although it was an early Saturday morning in SF when I reported the issue, Google’s tech team replied very fast," he wrote.

“It was fixed in several hours, Google rewarded me $5k and luckily no Bieber videos were harmed,” Hismatullin joked on his blog.

In January, Google launched its Vulnerability Research Grants in order to offer financial grants to "top performing, frequent vulnerability researchers as well as invited experts" in exchange for research into potential flaws of certain applications, RT reported.

Reportedly, many said Google's award of $5,000 is less than Hismatullin deserves for his finding, however, the ‘bug hunter’ said that security research is only his hobby, which he enjoys doing regardless of how much he is paid.

Be sure to read the next Security article: Akana Certifies APIs Against OWASP Top Ten Vulnerabilities

 

Comments (0)