$1337 YouTube Community (Posts) bug

YouTube Community is a feature that is only available for Channels with 

1. Verified Phone numbers

2.  A significant history, more content for years.

In the early June I started hunting for Security flaws on YouTube I was roaming around the features but most of the places have been found secure or already potential features had the bugs fixes in place.
The Community Tab is now Posts


So, I thought to exploit Youtube Community feature. I was trying to delete the Posts using IDOR attacks but it didn't work I was tired of trying various attacks but thought to compromise to the least "Privilege escalation". 

The Security flaw...

A user (victim) created a YT Community post, later an attacker while being an Admin of the same Channel has saved the HTTP Request that deletes a Community Post / Poll, then the attacker can replay that HTTP Request after he's demoted from Admin to Subtitle Editor that would delete the Post / Poll.


I exploited this flaw I tried after 15 seconds after demoting the Role and that was able to delete the Post. 

I reported in the mid of June and it was filed within 2 weeks to the Product team for the fix. 


I received the reward within a month.

Issued Reward : $1337

Comments