YouTube Hit By HTML Injection Vulnerability

Virak writes "Several hours ago, someone found an HTML injection vulnerability in YouTube's comment system, and since then sites such as 4chan have had a field day with popular videos. The bug is triggered by placing a <script> tag at the beginning of a post. The tag itself is escaped, but everything following it is cheerfully placed in the page as is. Blacked out pages with giant red text scrolling across them, shock site redirects, and all sorts of other fun things have been spotted. YouTube has currently blocked such comments from being posted and set the comments section to be hidden by default, and appears to be in the process of removing some of these comments, but the underlying bug does not seem to have been fixed yet."

They hid all comments...

[Inf0phreak]

wait for it... wait for it... And nothing of value was lost!

Re:Series of tubes...

Really? They're really only removing some of them? When they can just do a simple delete query and wipe everythin with a properly escaped script tag at the top of the comment? Wow. Just wow.

The solution to this is for users to be asked if they want to participate in commented sections when signing up. Not just at youtube, but everywhere. And probably not just comments, but any user input area.

Re:Really?

[Scrameustache]

Wow. You'd think somebody would've figured out something like this a long time ago.

But since merely gazing at youTube comments lowers your IQ by at least 20 points, I'm actually amazed someone found it. Must have used some of kind of proxy who looked at it, got dumber for it, but managed to pass along the code to someone who could look at it without being exposed to the dumb.

Re:htmlspecialchars()

It's not that hard for a small typo to result in something like this:

$text =~ s/([<>])/'&#'.ord($1).';'/ge;
vs
$text =~ s/([<>])/'&#'.ord($1).';'/e;

And not that hard to introduce such a bug when working on existing code to support new output mediums (such as in ajax responses or mobile or the like). In theory code review is supposed to catch it, but...

Re:Evolution of an exploit

[wmbetts]

I'm really surprised it used for trolling rather than making money. That seems like a phishers wet dream.

Re:Is it Christmas already?

[Max+Romantschuk]

The comments never bothered me. I simply don't read them.

Re:Ha ha

Have you taken a look in the real world lately. Common courtesy doesn't seem to apply there either.

Re:Ha ha

[twidarkling]

Physical age doesn't necessarily correspond to mental age. Personally, I've been getting more immature as years pass.

Re:htmlspecialchars()

Indeed, which is why everyone but Perl programmers use library functions rather than writing their own regular expressions for working with markup. As a bonus you avoid little bugs like forgetting to escape '&', and it'll probably escape '"' and ''' as well so you can use it for attributes.

Re:Trolling as a method to expidite bug fixes?

Probably not long. Google isn't known for complacency, and popular web services in general react quickly. Except for Facebook, anyway.

If it wasn't known, then it might have been undetected for weeks. But until Google says otherwise, we can't know that this wasn't already the case.

Re:Series of tubes...

[XnavxeMiyyep]

Well, look at the bright side!

YouTube has currently .... set the comments section to be hidden by default

This is the greatest possible improvement to YouTube short of removing the comments section entirely.

Re:Why natural language needs grouping symbols

[L4t3r4lu5]

Self-fulfilling prophecy?

It's been nice knowing you.