Jump to content

Security flaw gave researcher the power to erase every video on YouTube

s28400
By s28400
in Tech News
 Share
Posted

pretty sure this just deletes it from public domain, they still have the content on their servers

 

source: i have heard of (popular) youtubers having their channels hacked and videos deleted, but they were able to contact youtube and have their videos brought back to their channel.

NEW PC build: Blank Heaven   minimalist white and black PC     Old S340 build log "White Heaven"        The "LIGHTCANON" flashlight build log        Project AntiRoll (prototype)        Custom speaker project

Spoiler

Ryzen 3950X | AMD Vega Frontier Edition | ASUS X570 Pro WS | Corsair Vengeance LPX 64GB | NZXT H500 | Seasonic Prime Fanless TX-700 | Custom loop | Coolermaster SK630 White | Logitech MX Master 2S | Samsung 980 Pro 1TB + 970 Pro 512GB | Samsung 58" 4k TV | Scarlett 2i4 | 2x AT2020

 

Link to comment
Share on other sites
Link to post
Share on other sites
Posted

Normally, the way deletion works, if you're doing it properly, is that you just update a value in the database, when a used tries to access the deleted content, you just check if it's "deleted" or not, and if it is, you just tell them, and of cause, when you are listing out all the videos, you just don't list out anything that is set do "deleted == true".

But this could still have been a maaaassive pain in the butt for everyone involved.

Link to comment
Share on other sites
Link to post
Share on other sites
Posted

If it's just a value that determines if a video is "deleted". Does that mean the same method can be done in reverse to bring back video that was taken down?

Link to comment
Share on other sites
Link to post
Share on other sites
Posted

If it's just a value that determines if a video is "deleted". Does that mean the same method can be done in reverse to bring back video that was taken down?

Often yes, they way it's done is that in the database you have culloms and rows containing data, like a table.

 

fx:

VideoID | VideoName | VideoDescription | (ect, etc, etc) | VideoIsDeleted|

        23  | LTT Review  | Video about PCs  | (ect, etc, etc)  |                      0  |

Now, normally by default, the "deleted" value, will be 0 (false) so it is not delete, but then you update that value to 1 (true) when you delete it, then you simply add an if() statement in your code, to check every time the user is requesting data, to whether or not the video should be visible.

So it would be faily simple to just go in, and set the "deleted" to being 0 again, however, you need to know what videos to "un-delete", but I can gareentee you that something as big as Youtube will have all kind of redundencies and backups to make sure something like this doesn't happen.

Link to comment
Share on other sites
Link to post
Share on other sites
Posted

can we get him to delete all of MSI's videos? 

muh specs 

Gaming and HTPC (reparations)- ASUS 1080, MSI X99A SLI Plus, 5820k- 4.5GHz @ 1.25v, asetek based 360mm AIO, RM 1000x, 16GB memory, 750D with front USB 2.0 replaced with 3.0  ports, 2 250GB 850 EVOs in Raid 0 (why not, only has games on it), some hard drives

Screens- Acer preditor XB241H (1080p, 144Hz Gsync), LG 1080p ultrawide, (all mounted) directly wired to TV in other room

Stuff- k70 with reds, steel series rival, g13, full desk covering mouse mat

All parts black

Workstation(desk)- 3770k, 970 reference, 16GB of some crucial memory, a motherboard of some kind I don't remember, Micomsoft SC-512N1-L/DVI, CM Storm Trooper (It's got a handle, can you handle that?), 240mm Asetek based AIO, Crucial M550 256GB (upgrade soon), some hard drives, disc drives, and hot swap bays

Screens- 3  ASUS VN248H-P IPS 1080p screens mounted on a stand, some old tv on the wall above it. 

Stuff- Epicgear defiant (solderless swappable switches), g600, moutned mic and other stuff. 

Laptop docking area- 2 1440p korean monitors mounted, one AHVA matte, one samsung PLS gloss (very annoying, yes). Trashy Razer blackwidow chroma...I mean like the J key doesn't click anymore. I got a model M i use on it to, but its time for a new keyboard. Some edgy Utechsmart mouse similar to g600. Hooked to laptop dock for both of my dell precision laptops. (not only docking area)

Shelf- i7-2600 non-k (has vt-d), 380t, some ASUS sandy itx board, intel quad nic. Currently hosts shared files, setting up as pfsense box in VM. Also acts as spare gaming PC with a 580 or whatever someone brings. Hooked into laptop dock area via usb switch

Link to comment
Share on other sites
Link to post
Share on other sites
Posted

Its hardly a viable solution, i mean you'd have to sit there and get every video id one at a time which would take years.

 

Sure its a security hole but

 

"Able to delete every video on Youtube"? No

 

"Able to delete ANY video on Youtube"? Sure

 

Plus he only shows the token being used to delete his own video in his own session, perhaps if you try to use your own token to delete someone elses video it will say "Computer says No!"

Main Rig:-

Ryzen 7 3800X | Asus ROG Strix X570-F Gaming | 16GB Team Group Dark Pro 3600Mhz | Corsair MP600 1TB PCIe Gen 4 | Sapphire 5700 XT Pulse | Corsair H115i Platinum | WD Black 1TB | WD Green 4TB | EVGA SuperNOVA G3 650W | Asus TUF GT501 | Samsung C27HG70 1440p 144hz HDR FreeSync 2 | Ubuntu 20.04.2 LTS |

 

Server:-

Intel NUC running Server 2019 + Synology DSM218+ with 2 x 4TB Toshiba NAS Ready HDDs (RAID0)

Link to comment
Share on other sites
Link to post
Share on other sites
Posted

can we get him to delete all of MSI's videos? 

 

Even better, IGN videos lol

Slick:

I don't care if you are right or wrong... someone will come around and correct you if you are wrong. What people need to realize is that we need to step up as a community and get above the pathetic fights and bickering. Share knowledge, be friendly, enjoy your stay.

He also forgot to mention if you dont know about the topic then dont make stuff up. Dont claim fake or assume things just by reading the title, Read the post. It doesnt matter if you made 3,000 as it could be mostly crap...

Link to comment
Share on other sites
Link to post
Share on other sites
Posted

Its hardly a viable solution, i mean you'd have to sit there and get every video id one at a time which would take years.

 

Sure its a security hole but

 

"Able to delete every video on Youtube"? No

 

"Able to delete ANY video on Youtube"? Sure

 

Plus he only shows the token being used to delete his own video in his own session, perhaps if you try to use your own token to delete someone elses video it will say "Computer says No!"

 

You can just create a simple macro or even a bot to do it. It wouldnt be hard. He could delete a lot of videos.

Slick:

I don't care if you are right or wrong... someone will come around and correct you if you are wrong. What people need to realize is that we need to step up as a community and get above the pathetic fights and bickering. Share knowledge, be friendly, enjoy your stay.

He also forgot to mention if you dont know about the topic then dont make stuff up. Dont claim fake or assume things just by reading the title, Read the post. It doesnt matter if you made 3,000 as it could be mostly crap...

Link to comment
Share on other sites
Link to post
Share on other sites
Posted

vnlYh26m.jpg

muh specs 

Gaming and HTPC (reparations)- ASUS 1080, MSI X99A SLI Plus, 5820k- 4.5GHz @ 1.25v, asetek based 360mm AIO, RM 1000x, 16GB memory, 750D with front USB 2.0 replaced with 3.0  ports, 2 250GB 850 EVOs in Raid 0 (why not, only has games on it), some hard drives

Screens- Acer preditor XB241H (1080p, 144Hz Gsync), LG 1080p ultrawide, (all mounted) directly wired to TV in other room

Stuff- k70 with reds, steel series rival, g13, full desk covering mouse mat

All parts black

Workstation(desk)- 3770k, 970 reference, 16GB of some crucial memory, a motherboard of some kind I don't remember, Micomsoft SC-512N1-L/DVI, CM Storm Trooper (It's got a handle, can you handle that?), 240mm Asetek based AIO, Crucial M550 256GB (upgrade soon), some hard drives, disc drives, and hot swap bays

Screens- 3  ASUS VN248H-P IPS 1080p screens mounted on a stand, some old tv on the wall above it. 

Stuff- Epicgear defiant (solderless swappable switches), g600, moutned mic and other stuff. 

Laptop docking area- 2 1440p korean monitors mounted, one AHVA matte, one samsung PLS gloss (very annoying, yes). Trashy Razer blackwidow chroma...I mean like the J key doesn't click anymore. I got a model M i use on it to, but its time for a new keyboard. Some edgy Utechsmart mouse similar to g600. Hooked to laptop dock for both of my dell precision laptops. (not only docking area)

Shelf- i7-2600 non-k (has vt-d), 380t, some ASUS sandy itx board, intel quad nic. Currently hosts shared files, setting up as pfsense box in VM. Also acts as spare gaming PC with a 580 or whatever someone brings. Hooked into laptop dock area via usb switch

Link to comment
Share on other sites
Link to post
Share on other sites
Posted

If it's just a value that determines if a video is "deleted". Does that mean the same method can be done in reverse to bring back video that was taken down?

In most cases yes.

I run my browser through NSA ports to make their illegal jobs easier. :P
If it's not broken, take it apart and fix it.
http://pcpartpicker.com/b/fGM8TW

Link to comment
Share on other sites
Link to post
Share on other sites
Posted

If it's just a value that determines if a video is "deleted". Does that mean the same method can be done in reverse to bring back video that was taken down?

In most cases yes. Deleting something doesn't remove it, it just removes the code that says "something is stored from here to here, do not write over it" to truly remove it that portion of storage must be written over.

I run my browser through NSA ports to make their illegal jobs easier. :P
If it's not broken, take it apart and fix it.
http://pcpartpicker.com/b/fGM8TW

Link to comment
Share on other sites
Link to post
Share on other sites
Posted

If it's just a value that determines if a video is "deleted". Does that mean the same method can be done in reverse to bring back video that was taken down?

In most cases yes. Deleting something doesn't remove it, it just removes the code that says "something is stored from here to here, do not write over it" to truly remove it, that portion of storage must be written over.

I run my browser through NSA ports to make their illegal jobs easier. :P
If it's not broken, take it apart and fix it.
http://pcpartpicker.com/b/fGM8TW

Link to comment
Share on other sites
Link to post
Share on other sites
Posted

In most cases yes. Deleting something doesn't remove it, it just removes the code that says "something is stored from here to here, do not write over it" to truly remove it, that portion of storage must be written over.

Lol tripple post xD

My posts are in a constant state of editing :)

CPU: i7-4790k @ 4.7Ghz MOBO: ASUS ROG Maximums VII Hero  GPU: Asus GTX 780ti Directcu ii SLI RAM: 16GB Corsair Vengeance PSU: Corsair AX860 Case: Corsair 450D Storage: Samsung 840 EVO 250 GB, WD Black 1TB Cooling: Corsair H100i with Noctua fans Monitor: ASUS ROG Swift

laptop

Some ASUS model. Has a GT 550M, i7-2630QM, 4GB or ram and a WD Black SSD/HDD drive. MacBook Pro 13" base model
Apple stuff from over the years
iPhone 5 64GB, iPad air 128GB, iPod Touch 32GB 3rd Gen and an iPod nano 4GB 3rd Gen. Both the touch and nano are working perfectly as far as I can tell :)
Link to comment
Share on other sites
Link to post
Share on other sites
Posted

can we get him to delete all of MSI's videos? 

 

Noooo I want wierd ads with girls playing games in their underwear!

/s

Link to comment
Share on other sites
Link to post
Share on other sites
Posted

Its hardly a viable solution, i mean you'd have to sit there and get every video id one at a time which would take years.

 

Sure its a security hole but

 

"Able to delete every video on Youtube"? No

 

"Able to delete ANY video on Youtube"? Sure

 

Plus he only shows the token being used to delete his own video in his own session, perhaps if you try to use your own token to delete someone elses video it will say "Computer says No!"

 

It would be very simple to automate the process

 

Yes he only shows deleting his video, but if you notice he shows deleting his video through a browser that isn't logged in as him.  He used the identifier from the url as well as the session token from the browser he was not logged into.  So it would have been simple to run a script saying delete all videos...or at least automate it so you could delete the videos you want (ie putting the url into a program and having the program delete the video)

0b10111010 10101101 11110000 00001101

Link to comment
Share on other sites
Link to post
Share on other sites
Posted

Pure horror to my eyes! STAP DAT

                                                                                          »»» Frankz' X99 System «««                                                                                         

CPU: 5820k 4.6Ghz 1.31v, Motherboard: Asus Rampage V Extreme, RAM: G.Skill Ripjaws4 16GB DDR4@3000Mhz, GPU: ASUS GTX780 DirectCUII

         SSD: Samsung 850 EVO 250GB, HDD: WD Blue 1TB, PSU: EVGA SuperNova 850 G2, Cooler: Corsair H105, Case: Corsair Obsidian 750D        

Link to comment
Share on other sites
Link to post
Share on other sites
Posted

Noooo I want wierd ads with girls playing games in their underwear!

/s

But they all have the London look. Ewww.

3000-austin-powers.jpg

I run my browser through NSA ports to make their illegal jobs easier. :P
If it's not broken, take it apart and fix it.
http://pcpartpicker.com/b/fGM8TW

Link to comment
Share on other sites
Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
 Share
Go to topic listing Tech News

×