Here at Flatstack we have a lot of very talented people. During the day, those talents are directed at helping our clients bring great applications to life. But our engineers, developers, and designers also work on their own side projects, contribute to open source Software, and work on any other creative outlet they can think of. One of those other creative outlets is hunting for bugs in a piece of software that millions of people use every day. 

Imagine pulling up Youtube one day to watch your favorite video for the 50th time, only to find out it isn’t there. You think to yourself “hmm, that’s strange. Oh well, I’ll just watch a funny cat video”. But that one is gone too. In fact, all of the most viewed videos on YouTube are gone. Disappeared. Forever. What a bleak prospect that would be! No more Gangnam Style, no more Justin Bieber, or Charlie bit my finger. Life as you know it would pretty much cease to exist. But thanks to a very talented coder from Russia, that’s a world you’ll never have to live in.

Photo: people.com

Many large software companies know there are bugs in their code, back doors that can be opened with just the right keystroke. And they have programs in place that actually reward people for finding and reporting them. Google is one of these companies, and that’s how Kamil Hismatullin Saved Youtube. He was taking place in Google’s Vulnerability Research Grant program and found the flaw after doing a bit of digging around.

Sure there are plenty of people who would put that knowledge to use in a malicious way. More and more often though, people who are capable of finding these flaws are using their power for good. In particular, Hismatullin was focused on the YouTube Creator Studio. This is where video creators can look through data and analytics attached to the videos that they’ve uploaded.

Photo: youtube.com

Each video has a unique event ID that can be found in the web address, along with an authentication token that is more or less a password. After digging around there, he was able to discover that the service accepted various kinds of different tokens for the request to delete a video, as opposed to only accepting one owned by the user who uploaded the video.

To start making any video they wanted disappear, a malicious hacker could gain access to the authentication tokens and use them to delete the videos.

YouTube Savior Kamil Hismatullin

Kamil’s find drew notice from the press too!  Check him out on Quartz, Business Insider, Gawker, and PC Gamer.

This isn’t Kamil’s first rodeo though - he’s previously found bugs in Google, Github, and HipChat as well. So after publishing a blog post, Google confirmed the details of his find.

As part of the grant program he participated in, Hismatullin was initially given $1,337 to start hunting for bugs. After reporting the bug, he received an additional $5,000.

Previous bug bounties have been paid out in excess of over $100,000. Unfortunately for him, this bug fell into a specific category within the VRG program, and the maximum amount allotted for that category is $5,000.

However, given that YouTube could have been crippled by this particular error in their code, it seems like they got the better end of this deal.

Because of Hismatullin’s efforts, YouTube’s videos are safe and sound now. And although he “fought the urge to clean up Bieber’s channel”, even the Biebs and his legion of fans can rest easy knowing there will still be one less lonely girl.

This post was written by Jay McCauley, part of the Customer Success team here at Flatstack. You can find him @mccauley_jay. He does not suffer from Bieber fever. If you like what you read, it would be awesome if you shared it with someone else!