Kamil Hismatullin, a talented Russian programmer and security specialist, had the ability to delete everything on YouTube. All it took was sending a single, very short string of text to the site, and no matter whose video he’d targeted, it’d disappear as if the owner himself had removed it. As Gawker notes, “what’s more surprising than the fact that it only took Hismatullin several hours to find this vulnerability is that he resisted the urge to clean up Youtube,” including Bieber’s channel. “He could’ve automated the process and just deleted all of YouTube videos.” Instead he handed it all over to Google for a $5,000 reward.
Google’s Security team routinely pay hackers and security geeks to find and report security flaws. This way, company can fix it before someone can use it to mess with the data online. Hismatullin took up the challenge. As he elaborates in his personal blog post, he recently found out how to instantly delete any video on YouTube with just one text request.
He uploaded a video of the attack in action:
In the comments, he’s realized he got underpaid by Google: “Yes, I agree with you, this bug is worth more than $5k. To be honest I expected $15k-$20k.”