Slashdot Mirror


YouTube Hit By HTML Injection Vulnerability

Virak writes "Several hours ago, someone found an HTML injection vulnerability in YouTube's comment system, and since then sites such as 4chan have had a field day with popular videos. The bug is triggered by placing a <script> tag at the beginning of a post. The tag itself is escaped, but everything following it is cheerfully placed in the page as is. Blacked out pages with giant red text scrolling across them, shock site redirects, and all sorts of other fun things have been spotted. YouTube has currently blocked such comments from being posted and set the comments section to be hidden by default, and appears to be in the process of removing some of these comments, but the underlying bug does not seem to have been fixed yet."

22 of 224 comments (clear)

  1. Series of tubes... by ae1294 · · Score: 5, Funny

    All of your tubes are belonging to US now.

    1. Re:Series of tubes... by KevMar · · Score: 5, Funny

      Somebody set up us the script bomb

      --
      Im a gamer, not a grammer major. This post is full of spelling and grammer mistakes.
    2. Re:Series of tubes... by ae1294 · · Score: 4, Funny

      Really? They're really only removing some of them? When they can just do a simple delete query and wipe everythin with a properly escaped script tag at the top of the comment? Wow. Just wow.

      Shhh.... one word... overtime pay.

    3. Re:Series of tubes... by daremonai · · Score: 5, Funny

      That was actually two words ... Oh no, now we owe you overtime. Sneaky.

  2. I experienced this! by Anonymous Coward · · Score: 5, Funny

    I went to youtube, but all I saw was crap material. Someone had injected a bunch of crap!

  3. Re:Ha ha by bsDaemon · · Score: 5, Funny

    Based on the typical YouTube comment (or video, for that matter), I already hard sort of expected that to be the case.

  4. The very definition of Youtube by Anonymous Coward · · Score: 5, Funny

    Lots of people anonymously "injecting" a bunch of crap into a website for all others to see.

    This exploit is just an alternative to the original "Upload Video" button.

  5. Why natural language needs grouping symbols by Anonymous Coward · · Score: 5, Funny

    a "How to learn PHP in 24 hours!" book

    Does that mean:

    1. It teaches you, over the course of an unspecified period of time, how to learn PHP in 24 hours?
    2. It teaches you, over the course of 24 hours, how to learn PHP? or
    3. After 24 hours have elapsed, it teaches you how to learn PHP?

    Note that it doesn't actually teach you PHP. It just teaches you how to learn it.

    1. Re:Why natural language needs grouping symbols by maxwell+demon · · Score: 3, Funny

      No, it tells you how you learn the lesser-known language named "PHP in 24 hours" which differs from normal PHP in that the scripts always take 24 hours to run.

      --
      The Tao of math: The numbers you can count are not the real numbers.
    2. Re:Why natural language needs grouping symbols by weicco · · Score: 2, Funny

      I can't wait 24 hours! Got to get 12 hour book...

      --
      You don't know what you don't know.
    3. Re:Why natural language needs grouping symbols by CODiNE · · Score: 2, Funny

      I've seen the book, option 3 is the correct answer.

      It's 1,440 pages of "Wait one minute, then turn the page" which sadly forces one into an inescapable loop for 24 hours. After one has starved, missed sleep and soiled oneself through this excruciating 24 hour period the last page says only this:

      Buy the book titled 'This book teaches you PHP'.

      I was thoroughly disappointed.

      --
      Cwm, fjord-bank glyphs vext quiz
    4. Re:Why natural language needs grouping symbols by osu-neko · · Score: 5, Funny

      No, it tells you how you learn the lesser-known language named "PHP in 24 hours" which differs from normal PHP in that the scripts always take 24 hours to run.

      An optimized version, then? ;)

      --
      "Convictions are more dangerous enemies of truth than lies."
    5. Re:Why natural language needs grouping symbols by Kreigaffe · · Score: 4, Funny

      The first time I hear anyone ever fucking utter the word "Kibisecond" I'm just going to shoot them in the face. There's no other choice.

      --
      ... still waiting for this free-as-in-beer free beer I keep hearing about. :|
    6. Re:Why natural language needs grouping symbols by Anonymous Coward · · Score: 2, Funny

      How many Lojbanists does it take to change a broken light bulb? ...

      Two: one to figure out what to change it into, and one to figure out what kind of bulb emits broken light.

    7. Re:Why natural language needs grouping symbols by mjwx · · Score: 2, Funny

      If I ever need to refer to 1024 seconds, I'll be sure to do so when you're not around.

      Dont worry, he'll be back in a kibisecond.

      --
      Calling someone a "hater" only means you can not rationally rebut their argument.
  6. Someone needs to lose their job over this by l0ungeb0y · · Score: 1, Funny

    What idiot doesn't check user input with at least a regex replace to look for offending tags in fields *YOU KNOW* will be rendered by an HTML interpreter (browser)?
    Languages like PHP even have built-in routines that will strip out all HTML tags except for safe one you specify, it's been a few years, but I believe it's called htmlSafeTags(string, array of safe tags).

    This isn't a simple mistake, it's a sign of pure incompetence since the developer put no forethought into the uses of the tool he was developing and blindly trusted user input from a textarea. User input is dirty, dirty dirty and any developer who does not clean and sanitize it before consuming it is not doing his/her job.

  7. Massive rickroll? by mwvdlee · · Score: 5, Funny

    If they didn't redirect ALL videos to a Rick Astley video, they have missed the opportunity of a lifetime.

    --
    Slashdot social media options: AIM, ICQ, Yahoo, Jabber and Mobile Text. Why no MySpace?
  8. Re:Ha ha by SpeedyDX · · Score: 4, Funny

    YouTube is supposed to be a kid-friendly place. Parents could do their best to try to responsibly monitor and guide their kids' surfing habits, but still fail because of this exploit. This is not funny, nor awesome. This is not someone finding a potential exploit and graciously letting Google know so they can patch it up. Just a bunch of 4channers screwing around, and to hell with the consequences. And people like you encouraging that type of behaviour.

    Just because this is The Internet(TM), it doesn't mean that common courtesy need not apply.

  9. Re:... if you want to keep it by Rallion · · Score: 4, Funny

    *Reads list of filtering options*

    So does it just hide the whole comment section, or show it as being empty?

  10. Re:Ha ha by Johnno74 · · Score: 4, Funny

    Physical age doesn't necessarily correspond to mental age. Personally, I've been getting more immature as years pass.

    "I have abandoned the quest for eternal youth and instead setttled for lifelong immaturity"

  11. Re:... if you want to keep it by Anonymous Coward · · Score: 1, Funny

    Did anyone else read that list as:

    * All capital letters
    * ????
    * Profanity

  12. What I learned from this story by SmallFurryCreature · · Score: 3, Funny

    What I learned from this story:

    That goatse.cx is very old news and that there are whole new horrors I never even heard of.

    Someone must be looking out for me.

    You know you are living a blessed life when you got no idea what 1man1jar or lemon party is. Reminds me of being a little kid and having no idea what the adults were talking about. Only this time I know the value of ignorance.

    Let me see. 1 man 1 jar, must be about a man collecting pennies to buy a gift for his mother.

    Lemon party? Sweet lemonade for a hot summer day? Sounds fun.

    2girls1cup? Two girls riding the magic cup at disney?

    Please, don't correct me. Ignorance is bliss.

    --

    MMO Quests are like orgasms:

    You may solo them, I prefer them in a group.