Slashdot Mirror
YouTube Hit By HTML Injection Vulnerability
Virak writes "Several hours ago, someone found an HTML injection vulnerability in YouTube's comment system, and since then sites such as 4chan have had a field day with popular videos. The bug is triggered by placing a <script> tag at the beginning of a post. The tag itself is escaped, but everything following it is cheerfully placed in the page as is. Blacked out pages with giant red text scrolling across them, shock site redirects, and all sorts of other fun things have been spotted. YouTube has currently blocked such comments from being posted and set the comments section to be hidden by default, and appears to be in the process of removing some of these comments, but the underlying bug does not seem to have been fixed yet."
All of your tubes are belonging to US now.
I went to youtube, but all I saw was crap material. Someone had injected a bunch of crap!
Problem solved?
Awesome. The youtubers getting their panties in a knot have to lighten up. Based on some if their comments, you'd think the world was coming to an end.
Trolling is a art,
The evolution of this bug exploit was quite interesting to follow up close.
At first it simply prevented any further comments to be posted.
Then text was added.
Then the text was scrolling.
Suddenly, the entire page was blacked out except for the added text.
And that's when the more technical minded people realized much much more was possible.
Bam! Popups!
Infinite popups that lead to browser crashes!
Page redirects to shock sites!
The most sophisticated version I saw actually replaced the Youtube video in-place with the 1man1jar video..
And when the exploit was blocked in the comments, it had a small resurgence as video reply title, before being smacked down once more.
Glorious.
They actually got it fixed a bit after I submitted this story. A shame, lemonparty was a big step up from the usual level of discussion on YouTube videos. More seriously, I'm interested in finding out exactly what happened here. Hopefully Google will post some sort of explanation. YouTube is a massive site and it's somewhat bizarre seeing them make the sort of mistake you'd expect from something put together by a drooling moron with nothing but a "How to learn PHP in 24 hours!" book.
wait for it... wait for it... And nothing of value was lost!
________
Entranced by anime since late summer 2001 and loving it ^_^
Wow. You'd think somebody would've figured out something like this a long time ago.
Someone used an > to fool the tag parser and did recurring alert boxes and also redirects to Goatse. It's quite a common problem, as illustrated by Bobby Tables.
Lots of people anonymously "injecting" a bunch of crap into a website for all others to see.
This exploit is just an alternative to the original "Upload Video" button.
A lot of the comments are just troll BS. Most people log on for videos not to read the ramblings of basement dwelling trolls. I try to ignore them but they can be really obnoxious. I don't post on Youtube but I have had things pirated and posted just so they could make obnoxious comments. The work posted was just previs stuff that was just done for editing slugs but it was presented as finished work. It caused some trouble with a client so I got a lot more careful about letting development work out there. It's just sad a handful have to spoil things for everyone else. I used to post a lot of development work on my web site but I stopped completely. Trolls are like the people that talk and answer phone calls and take infants to movies. They really spoil the experience for the rest of us. I say if the comments can't be a constructive outlet then remove them and get rid of that security hole completely. The other option for security would be removing the HTML and go pure text. It's nice having HTML input but you don't really need the formatting for comments and it's always going to be a source of potential holes.
a "How to learn PHP in 24 hours!" book
Does that mean:
1. It teaches you, over the course of an unspecified period of time, how to learn PHP in 24 hours?
2. It teaches you, over the course of 24 hours, how to learn PHP? or
3. After 24 hours have elapsed, it teaches you how to learn PHP?
Note that it doesn't actually teach you PHP. It just teaches you how to learn it.
I wonder how many times this vulnerability was used to deliver malware.
cp /dev/zero ~/signature.txt
If I had to guess, I think it's a variant of an attack I've seen before.
Quidquid latine dictum sit, altum videtur
What idiot doesn't check user input with at least a regex replace to look for offending tags in fields *YOU KNOW* will be rendered by an HTML interpreter (browser)?
Languages like PHP even have built-in routines that will strip out all HTML tags except for safe one you specify, it's been a few years, but I believe it's called htmlSafeTags(string, array of safe tags).
This isn't a simple mistake, it's a sign of pure incompetence since the developer put no forethought into the uses of the tool he was developing and blindly trusted user input from a textarea. User input is dirty, dirty dirty and any developer who does not clean and sanitize it before consuming it is not doing his/her job.
word is its Ebaumsworld course you can't trust the b tards anymore than you can them.
I find it interesting pondering the how and why these things fail-- the insight into how the code must have been put together to fail on a particular input.
My initial guess for this one would be that they escape html and scripts separately-- scripts do not need greater than, less than, and ampersand escaped-- and that detecting the keyword 'script' switched modes from html to script. The fact that the first script tag is properly html-escaped suggests that while it was properly detected, the code to switch between html and script modes did not take this detection into account and switched anyway. I'm going to further guess that this do to some support code meant for the programmers' side inadvertently managed to cross over into user land.
My two cents.
--Dave Romig, Jr.
Get the YouTube Comment Snob addon for Firefox.
YouTube Comment Snob filters out undesirable comments from YouTube comment threads. You can choose to have any of the following rules mark a comment for removal:
* More than # spelling mistakes: The number of mistakes is customizable, and the extension uses Firefox's built-in spell checker.
* All capital letters
* No capital letters
* Doesn't start with a capital letter
* Excessive punctuation (!!!! ????)
* Excessive capitalization
* Profanity
If they didn't redirect ALL videos to a Rick Astley video, they have missed the opportunity of a lifetime.
Slashdot social media options: AIM, ICQ, Yahoo, Jabber and Mobile Text. Why no MySpace?
Why would they have a distinction between a HTML and a script mode on comments? Is there any reason you'd ever want a comment to contain a script?
Slashdot social media options: AIM, ICQ, Yahoo, Jabber and Mobile Text. Why no MySpace?
Comments turned off by default? Great! Any chance they can make that permanent?
read more about the vulnerability here : http://blog.insecurity.ro/youtube-html-code-injection/
tinkode found it.
... on the dangers of unsanitized user inputs.
I find it interesting pondering the how and why these things fail-- the insight into how the rig must have been put together to fail and cause a blowout.
My initial guess for this one would be that they were separating the fish and oil with a valve-- when you're drilling on the seafloor some fish will get sucked into the tubes and will have to be let out into the ocean again-- and that a fish happened to get into the "oil" tube, which confused the valve into switching modes from fish to oil. The fact that they started releasing oil into the sea suggests that while the fish was properly detected, the code to switch between fish and oil modes did not take this detection into account and switched anyway. I'm going to further guess that this do to some support pipes meant for the engineers' side inadvertently managed to cross over into Florida.
My two cents.
--Anonymous Coward
Exactly, why not just escape the whole thing? Or if you're even more paranoid, why not just strip the script tags and everything in between? That being said, the fact that this exploit exists in the first place shows that they're not doing either one of those things.
Does this sig remind you of Agatha Christie?
Since this was turned in to a massive, YouTube-wide trolling effort, it's being fixed nearly immediately. What if 4chan hadn't gotten a hold of it though? What if some scammers/spammers did? And used it for weeks? It would have been more subtle, and with YouTube's traffic, it could have been massively successful. Who knows what effect that could have had if this wasn't caught quickly. Did 4chan just do a good thing?
Canada: The US's more awesome sibling.
Fun stuff, but I believe it was done by the notorious Ebaums world, and not 4chan.
How much of this kind of problem is caused by the standard behavior of browsers to make a 'best guess' at interpreting 'bad' HTML, since the parsing rules are very lax compared to XML?
Should unmatched tags cause the browser to stop and say 'Parsing Error, Invalid HTML'? (or whatever user-friendly message the browser author writes)
'cause I could totally imagine someone, somewhere writing a browser that sees '<'s and auto-re-encodes them, then does it's tag parsing.
Back around 1998 I worked for a company that made e-commerce sites as their first tester for less than a month. The first bug I found was that a new user could insert script tags in their username (any field, really), my employers response was "Why would anyone want to hack a website?"... I wouldn't drop the issue, so they dropped me.
http://www.xkcd.org/481/
If opportunity came disguised as temptation, one knock would be enough.
3^2 * 67^1 * 977^1
Get inspired from places with mature attitudes on drug abuse; those with safe injecting sites.
Youtube feels like a drug to me at times...I'd elaborate on this viewpoint but a vid of a cat and a dog chasing their own tails at the same time interests me more.
someone stealing my cookies. They're MY cookies. -_-
Shut Up is a Safari extension that removes the comment sections from several popular websites. Enjoy less bullshit in your web browsing.
Who here wants to blame this on Microsoft! BUELLER??? BUELLER???
I haven't actually tried Comment Snob addon in some time and it seems that it hasn't been updated to work with the latest changes on YouTube. Maybe someone with a little free time has the passion to fix it.
I'm sure there is some joke about yo mama and unsanitized user inputs...
Whats the Microsoft angle?
Nice, long and contrived explanation.
Much more likely they forgot to set the correct parameter to have ALL the occurrence replaced instead of the left-most longest occurrence.
(for example, they forgot to put a "g" after the RegExp)
"Sufficiently advanced satire is indistinguishable from reality." - [Tips: 1DrYakQDKCQ6y52z6QbnkxHXAocMZJE61o ]
We only just had a big debate over whether going to university makes you a better coder or not in the Zoho topic. http://news.slashdot.org/story/10/07/01/208222/Zoho-Dont-Need-No-Stinking-PhD-Programmers
:P
In there Google and their army of PhDs was mentioned as proof that a degree really matters.
It appears even with a PhD you're still susceptible to making school boy errors. Zoho can make these sorts of errors for much less by hiring kids straight out of high school.
This is just a test. Do not be alarmed. eval(1+1);//this is also a test
It's only bad design / coding / development - who cares! It happens all the time and will happen as long as the subpar designs / development / coding is allowed. Mostly I would blame the design of these systems - it's very difficult to (safely) implement anything which is already broken, as most of the systems today! Or - if you don't agree, list the systems that haven't been broken one time or other? Or - which will not be broken in future?
Seriously - after fighting long enough years for safe and secure design, I honestly don't understand these? It has been 100% - really hundred percent - every time a problem with design for no other reason except ignorance, greed, lack of experience, whatever - but anyway something you would have got fired earlier! Now - blame others, blame a product, blame a vendor, blame a hacker, etc - give me a break!
Agreed. I think that's what they were trying to do, but it failed. Another poster reminded me of a particular way PERL Regular Expressions can fail in PHP that would an escaping half-processed in this manner.
You have to wonder, though, most languages designed for web pages already have an optimized function for this type of escaping. Why not use it? Either they are trying to be clever or they reinvented the function in an incomplete way.
Maybe if the paranoia level it low, they'll announce what it was when its fixed.
--Dave Romig, Jr.
Actually, all youtube-comments marked "insightful" were still readable...
What I learned from this story:
That goatse.cx is very old news and that there are whole new horrors I never even heard of.
Someone must be looking out for me.
You know you are living a blessed life when you got no idea what 1man1jar or lemon party is. Reminds me of being a little kid and having no idea what the adults were talking about. Only this time I know the value of ignorance.
Let me see. 1 man 1 jar, must be about a man collecting pennies to buy a gift for his mother.
Lemon party? Sweet lemonade for a hot summer day? Sounds fun.
2girls1cup? Two girls riding the magic cup at disney?
Please, don't correct me. Ignorance is bliss.
MMO Quests are like orgasms:
You may solo them, I prefer them in a group.
1 Man 1 Jar is in the same league as 2 Girls 1 Cup or Mr. Hands. Not up in the same league with the Ukrainian snuff videos, benzin.avi or terrorist beheading videos, and certainly not the "hardest you've ever seen" unless you're new to the Internet.
That said a man stuffing a jar up his ass and having it break is still not something you want to see.
"When information is power, privacy is freedom" - Jah-Wren Ryel