This Guy Could Have Deleted Everything on YouTube, but He Resisted
Kamil Hismatullin, a Russian hacker and security tinkerer, briefly had the ability to delete everything on YouTube.Here he shows how..........
Read More
People who liked this video also liked
Comments
18 comments posted so far. Login to add a comment.
35
2. etplayer commented 9 years ago
Ok this is kind of a misleading title, he figured out a way to delete everything on youtube, *one video at a time*. Even if he had been able to clone himself 1000 times over, and was running 24/7, he'd still never delete everything on youtube. The brief makes it sound like he could have just gone "click" and youtube would have been sans all videos.
44
4. BrahmaBull commented 9 years ago
So google gave him $5000 for not deleting Bieber videos. Imagine if he had just set up an account where people could donate to make him delete them. He could have made so much more money that way.
27
7. PownMeister commented 9 years ago
#2 Scripts......
53
9. s1nn0cence commented 9 years ago
Also, IT people correct me if I'm wrong, but he just REMOVED (as in removed access to it by everyone else but him) the video, not DELETED it ; therefore it's still in google/youtube's servers somewhere.
47
11. Cyrille commented 9 years ago
#2 Ever heard of "large scale DOS attack" ?
From what we can see, this can be easily scripted. With a few thousand computers and some spare time, a lot of videos could have been deleted very quickly. For example, 1000 computers, 1 request per second per computer, that's 3.6 millions video deleted in one hour. And these are small numbers, you can easily get your hand on more than 1000 computers and do more than 1 request per second. Of course, there are security routines to prevent this, but with a bit of luck...
From what we can see, this can be easily scripted. With a few thousand computers and some spare time, a lot of videos could have been deleted very quickly. For example, 1000 computers, 1 request per second per computer, that's 3.6 millions video deleted in one hour. And these are small numbers, you can easily get your hand on more than 1000 computers and do more than 1 request per second. Of course, there are security routines to prevent this, but with a bit of luck...
31
14. dzonivoker commented 9 years ago
tl;dr
He deleted his own video in the hard way.
At the right browser you can see that he is logged in chrome as "kamil". Then, in the right browser he uses email that starts with kamil....@gmail.com, in antoher words, his email. Don't get confused with avatar on the left browser, Google allows many YouTube accounts with same email address, but one email address owns them all and have rights to do everything whith any of them.
So, in the left browser he finds the session token. Look at session token as secret pass phrase for every users action (request). Every user has different session token, and in this case he uses his own. Then, he uses the Postman, a tool for testing REST API's (I'm using it every day), and he sends required request payload for deleting the video. In another words, as I said, he deleted his own video in the hard way
He deleted his own video in the hard way.
At the right browser you can see that he is logged in chrome as "kamil". Then, in the right browser he uses email that starts with kamil....@gmail.com, in antoher words, his email. Don't get confused with avatar on the left browser, Google allows many YouTube accounts with same email address, but one email address owns them all and have rights to do everything whith any of them.
So, in the left browser he finds the session token. Look at session token as secret pass phrase for every users action (request). Every user has different session token, and in this case he uses his own. Then, he uses the Postman, a tool for testing REST API's (I'm using it every day), and he sends required request payload for deleting the video. In another words, as I said, he deleted his own video in the hard way
47
15. Cyrille commented 9 years ago
#14 Indeed, in his left browser he is logged with a different email address that *might* give him rights to do everything, like deleting the video. But his left browser still says that he can't access the video because it is private. It's quite strange to allow someone to delete a video but not to read it.
0 1. Gringo_el_Diablo commented 9 years ago