Slashdot Mirror

← Back to Stories (view on slashdot.org)

YouTube Hit By HTML Injection Vulnerability

Posted by Soulskill on from the enjoy-the-holiday-google dept.

Virak writes "Several hours ago, someone found an HTML injection vulnerability in YouTube's comment system, and since then sites such as 4chan have had a field day with popular videos. The bug is triggered by placing a <script> tag at the beginning of a post. The tag itself is escaped, but everything following it is cheerfully placed in the page as is. Blacked out pages with giant red text scrolling across them, shock site redirects, and all sorts of other fun things have been spotted. YouTube has currently blocked such comments from being posted and set the comments section to be hidden by default, and appears to be in the process of removing some of these comments, but the underlying bug does not seem to have been fixed yet."

15 of 224 comments (clear)

  1. htmlspecialchars() by Anonymous Coward · · Score: 1, Interesting

    Problem solved?

    1. Re:htmlspecialchars() by Anonymous Coward · · Score: 1, Interesting

      I think you can count the lines of PHP in the Youtube codebase on zero hands, but yes, that would be the gist of it.
      Proper escaping isn't that hard, so this sounds like a poorly thought-out anti-injection measure accidentally circumvented the usual escaping. Generic blacklist-based XSS filters are pretty much useless, there's just too many ways to get a browser to execute some code, even without the general potential for fucking up your site.

  2. Really? by Dremth · · Score: 2, Interesting

    Wow. You'd think somebody would've figured out something like this a long time ago.

  3. I'd love to see the Comments removed period by Anonymous Coward · · Score: 2, Interesting

    A lot of the comments are just troll BS. Most people log on for videos not to read the ramblings of basement dwelling trolls. I try to ignore them but they can be really obnoxious. I don't post on Youtube but I have had things pirated and posted just so they could make obnoxious comments. The work posted was just previs stuff that was just done for editing slugs but it was presented as finished work. It caused some trouble with a client so I got a lot more careful about letting development work out there. It's just sad a handful have to spoil things for everyone else. I used to post a lot of development work on my web site but I stopped completely. Trolls are like the people that talk and answer phone calls and take infants to movies. They really spoil the experience for the rest of us. I say if the comments can't be a constructive outlet then remove them and get rid of that security hole completely. The other option for security would be removing the HTML and go pure text. It's nice having HTML input but you don't really need the formatting for comments and it's always going to be a source of potential holes.

    1. Re:I'd love to see the Comments removed period by grumbel · · Score: 4, Interesting

      A lot of the comments are just troll BS.

      Yes, but I blame the comment system for that. A comment system that doesn't allow links, doesn't allow more then a handful of characters, is a complete usability nightmare when you want to browse more then the last ten comments, doesn't allow search and doesn't support threads or replies properly is just useless when you actually want to write something insightful. A comment system should encourage informative posts, not make them impossible like the Youtube system does.

      The latest changes that the highest rated comments and comments from the video upload appear on top have helped a bit to cleanup the mess, but its still far away from being a comment system where people actually can have a meaningful discussion.

    2. Re:I'd love to see the Comments removed period by Thantik · · Score: 2, Interesting

      On top of that they need to implement some sort of penalty system for people who regularly post things that are downvoted. If out of 10 posts, the amount of downvotes you've gotten is higher than 80% then implement a week long "cool-off" period in which it resets to 0

  4. Interest pondering the how and why of such fails by DRJR · · Score: 3, Interesting

    I find it interesting pondering the how and why these things fail-- the insight into how the code must have been put together to fail on a particular input.

    My initial guess for this one would be that they escape html and scripts separately-- scripts do not need greater than, less than, and ampersand escaped-- and that detecting the keyword 'script' switched modes from html to script. The fact that the first script tag is properly html-escaped suggests that while it was properly detected, the code to switch between html and script modes did not take this detection into account and switched anyway. I'm going to further guess that this do to some support code meant for the programmers' side inadvertently managed to cross over into user land.

    My two cents.
    --Dave Romig, Jr.

  5. Re:Evolution of an exploit by larry+bagina · · Score: 5, Interesting

    Reminds me of the slashdot <a onhover=".."> bug. It was a while back (2000-2002 era?) but inline javascript wasn't filtered from a tags. The first exploit (that I saw, anyhow) simply used DHTML (as it was then known) to add (paraphrasing) "I can't believe this hasn't been fixed" to the post. (which took about 5 minutes given the speed of computers, javascript, and dom manipulation). About 30 seconds later, redirects to porn, last measure, etc appeared. Slashdot's initial response was to mod them down to -5 and then deleting them.

    --
    Do you even lift?

    These aren't the 'roids you're looking for.

  6. Is it Christmas already? by dswensen · · Score: 4, Interesting

    Comments turned off by default? Great! Any chance they can make that permanent?

  7. Re:Evolution of an exploit by Anonymous Coward · · Score: 4, Interesting

    I saw someone on /g/ claim to have pulled 300k+ youtube user cookies doing this. The bad thing is your YT account is usually tied to gmail now. Scary... glad I had noscript on.

  8. Trolling as a method to expidite bug fixes? by twidarkling · · Score: 5, Interesting

    Since this was turned in to a massive, YouTube-wide trolling effort, it's being fixed nearly immediately. What if 4chan hadn't gotten a hold of it though? What if some scammers/spammers did? And used it for weeks? It would have been more subtle, and with YouTube's traffic, it could have been massively successful. Who knows what effect that could have had if this wasn't caught quickly. Did 4chan just do a good thing?

    --
    Canada: The US's more awesome sibling.
    1. Re:Trolling as a method to expidite bug fixes? by Anonymous Coward · · Score: 1, Interesting

      For some reason, you're assuming it wasn't used by scammers, and that it wasn't known for more than a few hours.

    2. Re:Trolling as a method to expidite bug fixes? by Anonymous Coward · · Score: 1, Interesting

      Probably. I know some people on 4chan /g/ though, hours before this hit slashdot, were bragging about getting people's youtube/gmail session cookies via an XSS attack through this exploit, then logging into their gmail accounts, looking for other account information to figure out the gmail password, as most people use the same password for everything (it's not so simple to simply reset the gmail password, as you need to re-enter in the current password again, having just the session cookie isn't enough). I'm sure a sizable portion of people had their email accounts hijacked.

      Who knows how long that has been going on.

  9. as usual, xkcd has this covered: by http · · Score: 2, Interesting

    http://www.xkcd.org/481/

    --
    If opportunity came disguised as temptation, one knock would be enough.
    3^2 * 67^1 * 977^1
  10. Re:An update by MalHavoc · · Score: 2, Interesting

    I'd also be interested in knowing if this bug had been an issue for a long time. It seems like the sort of exploit that would have been very quickly discovered. I'm not a big YouTube comment reader, but I've noticed some interface/UI tweaks to the way comments can be thumbed up/down in recent weeks. Perhaps this crept in as a result of those.