YouTube Hit By HTML Injection Vulnerability
Virak writes "Several hours ago, someone found an HTML injection vulnerability in YouTube's comment system, and since then sites such as 4chan have had a field day with popular videos. The bug is triggered by placing a <script> tag at the beginning of a post. The tag itself is escaped, but everything following it is cheerfully placed in the page as is. Blacked out pages with giant red text scrolling across them, shock site redirects, and all sorts of other fun things have been spotted. YouTube has currently blocked such comments from being posted and set the comments section to be hidden by default, and appears to be in the process of removing some of these comments, but the underlying bug does not seem to have been fixed yet."
wait for it... wait for it... And nothing of value was lost!
________
Entranced by anime since late summer 2001 and loving it ^_^
Really? They're really only removing some of them? When they can just do a simple delete query and wipe everythin with a properly escaped script tag at the top of the comment? Wow. Just wow.
The solution to this is for users to be asked if they want to participate in commented sections when signing up. Not just at youtube, but everywhere. And probably not just comments, but any user input area.
Wow. You'd think somebody would've figured out something like this a long time ago.
But since merely gazing at youTube comments lowers your IQ by at least 20 points, I'm actually amazed someone found it. Must have used some of kind of proxy who looked at it, got dumber for it, but managed to pass along the code to someone who could look at it without being exposed to the dumb.
You can't take the sky from me...
I'm really surprised it used for trolling rather than making money. That seems like a phishers wet dream.
"Ubuntu" -- an African word, meaning "Slackware is too hard for me". - stolen from Dan C alt.os.linux.slackware
Physical age doesn't necessarily correspond to mental age. Personally, I've been getting more immature as years pass.
Canada: The US's more awesome sibling.
YouTube has currently .... set the comments section to be hidden by default
This is the greatest possible improvement to YouTube short of removing the comments section entirely.
I put the 't' in electrical engineering.