Originally posted by Techie Buzz It appears that YouTube is vulnerable to XSS (cross-site scripting) attacks. Details are scarce since this is a breaking story. However, according to preliminary information available with us, it is possible to hijack cookies to gain access to a logged-in user’s Gmail and YouTube accounts.
Spread the word to your friends and family members and help them stay protected. We will update you as soon as we learn more.
I was watching a few videos this morning, didn't notice anything unusual in the comments though (although to be honest, I've learned long ago to ignore YouTube user comments completely) ... Still, to be on the safe side, I deleted all cookies and changed my YouTube password.
I'm hoping that was unnecessary, though. I'm using the latest version of FireFox, and have all the latest Windows updates installed, so I should be safe ... right?
"All RAW is these days is a cheap version of Saturday Night Live, so if you wanna tune in to watch the amazing star power of Al Sharpton and Nancy O'Dell, go ahead! Who's gonna host next week, Big Bird? Wow, that's must-see TV!" - John Morrison (10/16/09 Smackdown!)
Originally posted yesterday by Slashdot from the enjoy-the-holiday-google dept., Virak writes "Several hours ago, someone found an HTML injection vulnerability in YouTube's comment system, and since then sites such as 4chan have had a field day with popular videos. The bug is triggered by placing a "script" (with the < and > symbols like regular HTML code) tag at the beginning of a post. The tag itself is escaped, but everything following it is cheerfully placed in the page as is. Blacked out pages with giant red text scrolling across them, shock site redirects, and all sorts of other fun things have been spotted. YouTube has currently blocked such comments from being posted and set the comments section to be hidden by default, and appears to be in the process of removing some of these comments, but the underlying bug does not seem to have been fixed yet."
I think CNet's coverage is a little disingenuous, though:
Google has plugged the hole hackers used Sunday morning to festoon YouTube videos with off-color pop-ups and adult-site redirects, according to a news outlet.
Hackers took advantage of a cross-site scripting vulnerability that enabled them to insert code onto the popular video site's viewer-comments pages, IDG News Service said in a report. The hackers apparently had it in for Justin Bieber, focusing on clips related to the teen pop star, who's set to appear tonight on an NBC television celebration of the Fourth of July and who's reportedly one of the most popular attractions on YouTube.
According to IDG, a Google representative said the attackers' exploits would not have allowed them to access the Google accounts of YouTube visitors who encountered a hacked page. The representative said, though, that visitors should log out of their Google accounts and then log back in, just to be safe.
IDG also quoted a source who said that though the hack itself didn't involve malware, any landing pages to which visitors were redirected could have. The source said, however, that most antivirus software would be defense enough against that possibility.
Google said YouTube's comment sections were temporarily shut down in response to the hack.
"Comments were temporarily hidden by default within an hour [of discovering the problem], and we released a complete fix for the issue in about two hours," IDG quoted the company as saying. "We're continuing to study the vulnerability to help prevent similar issues in the future."
(edited by Alessandro on 5.7.10 0931) "All RAW is these days is a cheap version of Saturday Night Live, so if you wanna tune in to watch the amazing star power of Al Sharpton and Nancy O'Dell, go ahead! Who's gonna host next week, Big Bird? Wow, that's must-see TV!" - John Morrison (10/16/09 Smackdown!)
From in IE: Tools->Internet Options->Security->Custom level (I think there's a default level that blocks Active X too) Make sure you set the options for each zone you use (eg local intranet, trusted sites etc)