Recently Google announced its current experimental program named Vulnerability Research Grants (VRG). No doubt it is a great concept. In this program the security team of Google selects regular reporters and send them emails.

The researchers then choose product/service from the list available in the email and investigate their chosen product/service’s security.

The objective of VRG is to encourage research into finding vulnerabilities and even if the researcher doesn’t find any vulnerability, he will be eligible for the reward for spending time and giving attention to security.


However, if the researcher does find vulnerability then he will be eligible for reward of detected flaw and the regular grant amount.

Kamil Hismatullin is one such reporter for Google who received the email and spent time to identify security flaws in Google’s products. He selected YouTube Creator Studio as the target and composed two comprehensive reports within few hours. One report was regarding an easily exploitable and very critical security issue.

Hismatullin states: “In YouTube Creator Studio I investigated how live_events/broadcasting systems works. I wanted to find there some CSRF or XSS issues, but unexpectedly discovered a logical bug that let me to delete any video on YouTube with just one request.”

The following request was responsible for deleting YouTube videos:

POST https://www.youtube.com/live_events_...e_live_event=1 event_id: ANY_VIDEO_ID session_token: YOUR_TOKEN
Hismatullin received this response:

{ "success": 1 }


It wasn’t an easy task though and as Hismatullin revealed that he “spent 6-7 hours to research.”

In response, Google’s security tea, promptly acted because this flaw could have wreaked havoc within minutes if it was identified by exploiters because they could easily use it to extort people or just disrupt the operations of YouTube by eliminating videos, according to Hismatullin’s official blog.

The flaw took several hours to be fixed and Google rewarded Hismatullin $5k.