The W
Views: 98308332
Main | FAQ | Search: Y! / G | Calendar | Color chart | Log in for more!
20.8.14 1732
The W - Internet & Computers - YouTube vulnerability
This thread has 3 referrals leading to it
Register and log in to post!
Thread rated: 5.55
Pages: 1
(147 newer) Next thread | Previous thread
User
Post (3 total)
Alessandro
Lap cheong








Since: 2.1.02
From: Worcester MA

Since last post: 20 days
Last activity: 2 days
#1 Posted on | Instant Rating: 5.56
    Originally posted by Techie Buzz

    It appears that YouTube is vulnerable to XSS (cross-site scripting) attacks. Details are scarce since this is a breaking story. However, according to preliminary information available with us, it is possible to hijack cookies to gain access to a logged-in user’s Gmail and YouTube accounts.

    Although, it’s unclear who discovered this vulnerability, 4Chan users are already trying to actively exploit it. The exploit makes use of PHP, JavaScript, and XSS, and is being spread through comments on videos. Any logged in user who has browsed to an infected page is vulnerable. The best solution is to completely log out of YouTube until this issue has been fixed. If you are worried that you have viewed an infected video, delete all your cookies.

    Spread the word to your friends and family members and help them stay protected. We will update you as soon as we learn more.



I was watching a few videos this morning, didn't notice anything unusual in the comments though (although to be honest, I've learned long ago to ignore YouTube user comments completely) ... Still, to be on the safe side, I deleted all cookies and changed my YouTube password.

I'm hoping that was unnecessary, though. I'm using the latest version of FireFox, and have all the latest Windows updates installed, so I should be safe ... right?



"All RAW is these days is a cheap version of Saturday Night Live, so if you wanna tune in to watch the amazing star power of Al Sharpton and Nancy O'Dell, go ahead! Who's gonna host next week, Big Bird? Wow, that's must-see TV!" - John Morrison (10/16/09 Smackdown!)


Parquet Wishes and Leprechaun Dreams
FALCONNNN PAWNCH!!!


Promote this thread!
cranlsn
Liverwurst








Since: 18.3.02
From: Sussex, WI

Since last post: 114 days
Last activity: 1 hour
#2 Posted on | Instant Rating: 5.52

...and it appears to be fixed.
http://techie-buzz.com/online-security/youtube-hack-update.html

EBaumsworld and 4Chan are apparently assigning blame to each other...
Alessandro
Lap cheong








Since: 2.1.02
From: Worcester MA

Since last post: 20 days
Last activity: 2 days
#3 Posted on | Instant Rating: 5.56
    Originally posted yesterday by Slashdot

    from the enjoy-the-holiday-google dept., Virak writes "Several hours ago, someone found an HTML injection vulnerability in YouTube's comment system, and since then sites such as 4chan have had a field day with popular videos. The bug is triggered by placing a "script" (with the < and > symbols like regular HTML code) tag at the beginning of a post. The tag itself is escaped, but everything following it is cheerfully placed in the page as is. Blacked out pages with giant red text scrolling across them, shock site redirects, and all sorts of other fun things have been spotted. YouTube has currently blocked such comments from being posted and set the comments section to be hidden by default, and appears to be in the process of removing some of these comments, but the underlying bug does not seem to have been fixed yet."



I think CNet's coverage is a little disingenuous, though:

Google has plugged the hole hackers used Sunday morning to festoon YouTube videos with off-color pop-ups and adult-site redirects, according to a news outlet.

Hackers took advantage of a cross-site scripting vulnerability that enabled them to insert code onto the popular video site's viewer-comments pages, IDG News Service said in a report. The hackers apparently had it in for Justin Bieber, focusing on clips related to the teen pop star, who's set to appear tonight on an NBC television celebration of the Fourth of July and who's reportedly one of the most popular attractions on YouTube.

According to IDG, a Google representative said the attackers' exploits would not have allowed them to access the Google accounts of YouTube visitors who encountered a hacked page. The representative said, though, that visitors should log out of their Google accounts and then log back in, just to be safe.

IDG also quoted a source who said that though the hack itself didn't involve malware, any landing pages to which visitors were redirected could have. The source said, however, that most antivirus software would be defense enough against that possibility.

Google said YouTube's comment sections were temporarily shut down in response to the hack.

"Comments were temporarily hidden by default within an hour [of discovering the problem], and we released a complete fix for the issue in about two hours," IDG quoted the company as saying. "We're continuing to study the vulnerability to help prevent similar issues in the future."


(edited by Alessandro on 5.7.10 0931)

"All RAW is these days is a cheap version of Saturday Night Live, so if you wanna tune in to watch the amazing star power of Al Sharpton and Nancy O'Dell, go ahead! Who's gonna host next week, Big Bird? Wow, that's must-see TV!" - John Morrison (10/16/09 Smackdown!)


Parquet Wishes and Leprechaun Dreams
FALCONNNN PAWNCH!!!


Thread rated: 5.55
Pages: 1
Thread ahead: Question about Internet referrals
Next thread: Gateway Laptop Screen Replacement
Previous thread: Man Loses Job Over YouTube Cartoon
(147 newer) Next thread | Previous thread
As of today, companies using CDMA technology (Sprint and Verizon) have faster internet. AT&T's and T-Mobile's Edge is similar to old school dialup. Those companies haven't gotten their 3G technology rolled out nationwide yet.
The W - Internet & Computers - YouTube vulnerabilityRegister and log in to post!

The W™ message board

ZimBoard
©2001-2014 Brothers Zim

This old hunk of junk rendered your page in 0.112 seconds.