Slashdot Mirror


YouTube Hit By HTML Injection Vulnerability

Virak writes "Several hours ago, someone found an HTML injection vulnerability in YouTube's comment system, and since then sites such as 4chan have had a field day with popular videos. The bug is triggered by placing a <script> tag at the beginning of a post. The tag itself is escaped, but everything following it is cheerfully placed in the page as is. Blacked out pages with giant red text scrolling across them, shock site redirects, and all sorts of other fun things have been spotted. YouTube has currently blocked such comments from being posted and set the comments section to be hidden by default, and appears to be in the process of removing some of these comments, but the underlying bug does not seem to have been fixed yet."

5 of 224 comments (clear)

  1. Re:I'd love to see the Comments removed period by grumbel · · Score: 4, Interesting

    A lot of the comments are just troll BS.

    Yes, but I blame the comment system for that. A comment system that doesn't allow links, doesn't allow more then a handful of characters, is a complete usability nightmare when you want to browse more then the last ten comments, doesn't allow search and doesn't support threads or replies properly is just useless when you actually want to write something insightful. A comment system should encourage informative posts, not make them impossible like the Youtube system does.

    The latest changes that the highest rated comments and comments from the video upload appear on top have helped a bit to cleanup the mess, but its still far away from being a comment system where people actually can have a meaningful discussion.

  2. Re:Evolution of an exploit by larry+bagina · · Score: 5, Interesting

    Reminds me of the slashdot <a onhover=".."> bug. It was a while back (2000-2002 era?) but inline javascript wasn't filtered from a tags. The first exploit (that I saw, anyhow) simply used DHTML (as it was then known) to add (paraphrasing) "I can't believe this hasn't been fixed" to the post. (which took about 5 minutes given the speed of computers, javascript, and dom manipulation). About 30 seconds later, redirects to porn, last measure, etc appeared. Slashdot's initial response was to mod them down to -5 and then deleting them.

    --
    Do you even lift?

    These aren't the 'roids you're looking for.

  3. Is it Christmas already? by dswensen · · Score: 4, Interesting

    Comments turned off by default? Great! Any chance they can make that permanent?

  4. Re:Evolution of an exploit by Anonymous Coward · · Score: 4, Interesting

    I saw someone on /g/ claim to have pulled 300k+ youtube user cookies doing this. The bad thing is your YT account is usually tied to gmail now. Scary... glad I had noscript on.

  5. Trolling as a method to expidite bug fixes? by twidarkling · · Score: 5, Interesting

    Since this was turned in to a massive, YouTube-wide trolling effort, it's being fixed nearly immediately. What if 4chan hadn't gotten a hold of it though? What if some scammers/spammers did? And used it for weeks? It would have been more subtle, and with YouTube's traffic, it could have been massively successful. Who knows what effect that could have had if this wasn't caught quickly. Did 4chan just do a good thing?

    --
    Canada: The US's more awesome sibling.