A Russian software developer has detected a security flaw, which could have allowed him to remove any video on YouTube in a matter of seconds. And he says he was close to doing just that.
Kamil Hismatullin, 21, joked he “fought the urge” to
erase Justin Bieber's channel for a couple of hours, but chose to
report the bug to Google instead.
It took the security researcher from Kazan, the capital of
Russia’s Republic of Tatarstan, about 7 hours to identify the
vulnerability in Google's Application Programming Interface
(API). He collected $5,000 for his research, the maximum award
for this kind of discovery.
Hismatullin wrote on his blog that the bug could
"create utter havoc in a matter of minutes in bad hands who
[could have] used this vulnerability to extort people or simply
disrupt YouTube by deleting massive amounts of videos in a very
short period of time."
He said he was surprised at how quickly Google responded after he
reported the bug.
"Although it was an early Saturday morning in SF when I reported
the issue, Google’s tech team replied very fast," he wrote.
“It was fixed in several hours, Google rewarded me $5k and
luckily no Bieber videos were harmed.”
Google launched its Vulnerability Research Grants in January to
offer financial grants to "top performing, frequent
vulnerability researchers as well as invited experts" in
exchange for research into potential flaws of certain
applications.
While many said Google's award of $5,000 is less than Hismatullin
deserves for his finding, the bug hunter said that security
research is only his hobby, which he enjoys doing regardless of
how much he is paid.