How Hackers Could Delete Any YouTube Video With Just One Click!

A security researcher has discovered a simple but critical vulnerability in Google-owned YouTube that could be exploited by anyone to knock down the whole business of the popular video sharing website.

Ethical Hacking News

Kamil Hismatullin, a Russian security bod, found a simple logical vulnerability that allowed him to delete any video from YouTube in one shot.

While looking for Cross-Site Scripting (XSS) or Cross-Site Request Forgery (CSRF) flaws in YouTube Creator Studio, Hismatullin came across a simple logical bug that could wipe up any video by just sending an identity number of any video in a post request against any session token.

The bug was simple but critical as it could be exploited by an attacker to fool YouTube easily into deleting any video on its system.

"I've fought the urge to [delete] Bieber's channel," Hismatullin wrote in his blog post. "Luckily no Bieber videos were harmed."

Citing the consequences of the issue, Hismatullin said "this vulnerability could create utter havoc in a matter of minutes in [attackers'] hands who could extort people or [just] disrupt YouTube by deleting massive amounts of videos in a very short period of time."

The researcher reported the bug to Google, and the search engine giant fixed the issue within several hours. Hismatullin won $5,000 cash reward from Google for finding and reporting the critical issue and an extra $1337 under the company’s pre-emptive vulnerability payment scheme.

Over a month ago, a similar bug was reported in Facebook's own systems that could have exploited by attackers to delete any photo from anyone’s Facebook account. However, the social networking giant fixed the relatively simple issue.

Comments

Create Your Own Social Networking Site

Create Your Own Social Networking Site JCOW: Ethical Hacking Top 10 reasons to choose Jcow:- 1. Handle more traffic - Clean codes and Dynamic caching can lower the CPU load and speed up your website. 2 Make your site more interactive - Well designed Jcow applications help you members to connect and communicate with others more effectively. 3 Add questions to the Registration Form - You can add new member fields, which will be displayed to the registration form, profile form, and the member browsing form. 4 Easily share stuff - Within the AJAX sharing Box, your members can publish status, photos, videos, and blogs. 5 Customize and Extend your Jcow Network - A Jcow network consists of core apps(like "Friends" and "Messages") and optional apps(like "Blogs" and ""Videos"). You can enable/disable optional apps. You can also develop your own apps. 6 Every profile could be Unique - Members can customize their own profile theme and add music play...

HL7V2.x to HL7V3.0 Translation Issues Details-2

In continuation of my previous post this post lists the other issues associated with HL7 v2.x to HL7v3 translation Conformance Patterns: The other major issue with the transformation of messages is the behavior of application when a particular information exchange takes place. In HL7V3.0 apart from the trigger events and interactions there exists the notion of application role as senders and receivers. The application role is characterized as the entire set of interactions for which the sender and receiver are responsible for transmitting. HL7V3.0 clearly defines the possible interactions and the application behavior associated these interactions in the form of responses for which the sender and receiver needs to adhere to. The differences in messages between V2.x and V3.0 and absence of clear guidance on V2.x regarding application behavior on receipt of message makes the transformation exercise more difficult. Vocabulary: It is a well known fact that 80% of HL7 V2.x message failu...

Hack WiFi Account From Phishing Attack With WifiPhisher

WiFi Phishing Attack With WifiPhisher Tool Wifiphisher is a security tool that mounts fast automated phishing attacks against WiFi networks in order to obtain secret passphrases and other credentials. It is a social engineering attack that unlike other methods it does not include any brute forcing. It is an easy way for obtaining credentials from captive portals and third party login pages or WPA/WPA2 secret passphrases. From the victim's perspective, the attack makes use in three phases: 1. Victim is being deauthenticated from her access point. Wifiphisher continuously jams all of the target access point's wifi devices within range by sending deauth packets to the client from the access point, to the access point from the client, and to the broadcast address as well. 2. Victim joins a rogue access point. Wifiphisher sniffs the area and copies the target access point's settings. It then creates a rogue wireless access point that is modeled on the target. It also sets up ...

DOYLC

Search This Blog