Security bod Kamil Hismatullin has disclosed a simple method to delete any video from YouTube.
The Russian software developer and hacker found videos can be instantly nuked by sending the identity number of a video in a post request along with any token.
Google paid the bug hunter US$5000 for the find along with $1337 under its pre-emptive vulnerability payment scheme in which it slings cash to help recognised researchers find more bugs.
"I wanted to find there some CSRF or XSS issues, but unexpectedly discovered a logical bug that let me to delete any video on YouTube with just one request," Hismatullin says.
"... this vulnerability could create utter havoc in a matter of minutes in [hackers'] hands who could extort people or simply disrupt YouTube by deleting massive amounts of videos in a very short period of time."
Hismatullin says Google responded quickly when he reported the bug Saturday.
He says he spent seven hours finding the bugs and resisted the near overwhelming urge to "clean up Bieber's channel".
Google's Vulnerability Research Grants is described as cash with "no strings attached" that allows known security bods to apply for US$3133.70 to begin bug hunting expeditions.
The search and service giant handed out some $1.5 million last year to bug hunters for reporting vulnerabilities. ®