YouTube Hit By HTML Injection Vulnerability

Virak writes "Several hours ago, someone found an HTML injection vulnerability in YouTube's comment system, and since then sites such as 4chan have had a field day with popular videos. The bug is triggered by placing a <script> tag at the beginning of a post. The tag itself is escaped, but everything following it is cheerfully placed in the page as is. Blacked out pages with giant red text scrolling across them, shock site redirects, and all sorts of other fun things have been spotted. YouTube has currently blocked such comments from being posted and set the comments section to be hidden by default, and appears to be in the process of removing some of these comments, but the underlying bug does not seem to have been fixed yet."

Series of tubes...

[ae1294]

All of your tubes are belonging to US now.

Re:Series of tubes...

[KevMar]

Somebody set up us the script bomb

Re:Series of tubes...

Really? They're really only removing some of them? When they can just do a simple delete query and wipe everythin with a properly escaped script tag at the top of the comment? Wow. Just wow.

The solution to this is for users to be asked if they want to participate in commented sections when signing up. Not just at youtube, but everywhere. And probably not just comments, but any user input area.

Re:Series of tubes...

[Stalks]

Don't you mean...

"Somebody script up us the bomb"

Re:Series of tubes...

[ae1294]

Really? They're really only removing some of them? When they can just do a simple delete query and wipe everythin with a properly escaped script tag at the top of the comment? Wow. Just wow.

Shhh.... one word... overtime pay.

Re:Series of tubes...

[daremonai]

That was actually two words ... Oh no, now we owe you overtime. Sneaky.

Re:Series of tubes...

[jhoegl]

You somehow think IT gets OT.... that is pretty funny.
Most Corporate IT get Salary, without OT.

Re:Series of tubes...

[XnavxeMiyyep]

Well, look at the bright side!

YouTube has currently .... set the comments section to be hidden by default

This is the greatest possible improvement to YouTube short of removing the comments section entirely.

Re:Series of tubes...

[LuNa7ic]

Oh my goodness, so many spams and scams are coming through the portal - Somebody call Senator Conroy, quick!

Re:Series of tubes...

[mysidia]

UPDATE VIDEO_COMMENTS set commentext='i am a fucking tool\n' where commentext like '>script%'

Re:Series of tubes...

[uninformedLuddite]

I have alerted John Travolta and Tom cruise expect this lack to be remedied shortly

I experienced this!

I went to youtube, but all I saw was crap material. Someone had injected a bunch of crap!

htmlspecialchars()

Problem solved?

Re:htmlspecialchars()

I think you can count the lines of PHP in the Youtube codebase on zero hands, but yes, that would be the gist of it.
Proper escaping isn't that hard, so this sounds like a poorly thought-out anti-injection measure accidentally circumvented the usual escaping. Generic blacklist-based XSS filters are pretty much useless, there's just too many ways to get a browser to execute some code, even without the general potential for fucking up your site.

Re:htmlspecialchars()

It's not that hard for a small typo to result in something like this:

$text =~ s/([<>])/'&#'.ord($1).';'/ge;
vs
$text =~ s/([<>])/'&#'.ord($1).';'/e;

And not that hard to introduce such a bug when working on existing code to support new output mediums (such as in ajax responses or mobile or the like). In theory code review is supposed to catch it, but...

Re:htmlspecialchars()

[Peach+Rings]

Does anyone understand what IF_HTML_FUNCTION is supposed to mean in the exploit code? As far as I can tell it's just plain text with no special meaning, it's just copied and pasted blindly from some previous code. Am I wrong?

Re:htmlspecialchars()

Indeed, which is why everyone but Perl programmers use library functions rather than writing their own regular expressions for working with markup. As a bonus you avoid little bugs like forgetting to escape '&', and it'll probably escape '"' and ''' as well so you can use it for attributes.

Re:htmlspecialchars()

[Purity+Of+Essence]

Yeah, I was wondering about this to. I ran into the exploit last night and noticed that in the page source. Fortunately, all the injected code did was insert a marquee comment asserting the video posters deviant sexuality while breaking the rest of the page.

Re:htmlspecialchars()

[stereoroid]

I saw something similar - like "Big Red Scrolling Text" in big red scrolling text, and the page cut off at that point. Looked to me like someone was playing with HTML tags, nothing more. I am running NoScript, as I suspect most Slashdot readers are, so nothing from outside YT got executed at all.

Ha ha

[grub]

Awesome. The youtubers getting their panties in a knot have to lighten up. Based on some if their comments, you'd think the world was coming to an end.

Re:Ha ha

[bsDaemon]

Based on the typical YouTube comment (or video, for that matter), I already hard sort of expected that to be the case.

Re:Ha ha

[SpeedyDX]

YouTube is supposed to be a kid-friendly place. Parents could do their best to try to responsibly monitor and guide their kids' surfing habits, but still fail because of this exploit. This is not funny, nor awesome. This is not someone finding a potential exploit and graciously letting Google know so they can patch it up. Just a bunch of 4channers screwing around, and to hell with the consequences. And people like you encouraging that type of behaviour.

Just because this is The Internet(TM), it doesn't mean that common courtesy need not apply.

Re:Ha ha

From what I've seen, there were not only simple insults and racist annoyances, but numerous redirects to the hardest shock site you've probably ever seen. That video makes 2girls1cup, benzin.avi and even the hardest war-porn look like family-friendly softcore entertainment in comparison. It has something to do with 1 man and 1 jar and I dare you to Google that if you have doubt this is emotionally scarring material.

Re:Ha ha

[JohnFen]

YouTube is supposed to be a kid-friendly place.

Good lord, that's the funniest thing I've read in a while. Thank you.

You tube itself (the videos) are generally fine, but the comment section is one of the more famous and major of the internet cesspools. I would never characterize it as "kid-friendly".

Re:Ha ha

Have you taken a look in the real world lately. Common courtesy doesn't seem to apply there either.

Re:Ha ha

[mickwd]

Well, given that such a low ID would have been given out a number of years ago now........

People do get older, you know.

Re:Ha ha

[twidarkling]

Physical age doesn't necessarily correspond to mental age. Personally, I've been getting more immature as years pass.

Re:Ha ha

[negRo_slim]

YouTube is supposed to be a kid-friendly place.

Good lord, that's the funniest thing I've read in a while. Thank you.

Yup soon the Texas Donk Squad will over take Sesame Street in children's programming.

Re:Ha ha

[jack2000]

It is so bad i had to re-purpose a greasemonkey script that changes the style of youtube to hide the comments section. What were they thinking taking out the option to hide the damn comments.

Re:Ha ha

[Cylix]

Well, given that such a low ID would have been given out a number of years ago now........

People do get older, you know.

No they don't. PooFace!

Re:Ha ha

[bsDaemon]

i don't know... what were they thinking allowing comments in the first place?

Re:Ha ha

[hattig]

Pressure, meet fragile, breakable glass.

Oh god, why why did I look for that as well?

AND WHY WHY WHY!!!!!!!!!!! FFS!!!!!!!!!!!

Re:Ha ha

[Johnno74]

Physical age doesn't necessarily correspond to mental age. Personally, I've been getting more immature as years pass.

"I have abandoned the quest for eternal youth and instead setttled for lifelong immaturity"

Re:Ha ha

[PBoyUK]

Yes. Shortly after, blood soaked shards of glass start dropping out of his ruptured anus.

It's one of those few times you feel lucky for the video being of poor quality. Though I can't blame youtube for having seen this. My curiosity led me to it some years ago,

Re:Ha ha

[GameboyRMH]

Ohhhhhh, Donk as in Badonkadonk. I was expecting to see a group of cowboy-hatted heroes travelling in blinged-out cars with ridiculously huge rims solving crimes and teaching children important life lessons along the way.

Evolution of an exploit

The evolution of this bug exploit was quite interesting to follow up close.

At first it simply prevented any further comments to be posted.
Then text was added.
Then the text was scrolling.
Suddenly, the entire page was blacked out except for the added text.

And that's when the more technical minded people realized much much more was possible.
Bam! Popups!
Infinite popups that lead to browser crashes!
Page redirects to shock sites!
The most sophisticated version I saw actually replaced the Youtube video in-place with the 1man1jar video..

And when the exploit was blocked in the comments, it had a small resurgence as video reply title, before being smacked down once more.

Glorious.

Re:Evolution of an exploit

[larry+bagina]

Reminds me of the slashdot <a onhover=".."> bug. It was a while back (2000-2002 era?) but inline javascript wasn't filtered from a tags. The first exploit (that I saw, anyhow) simply used DHTML (as it was then known) to add (paraphrasing) "I can't believe this hasn't been fixed" to the post. (which took about 5 minutes given the speed of computers, javascript, and dom manipulation). About 30 seconds later, redirects to porn, last measure, etc appeared. Slashdot's initial response was to mod them down to -5 and then deleting them.

Re:Evolution of an exploit

[wmbetts]

I'm really surprised it used for trolling rather than making money. That seems like a phishers wet dream.

Re:Evolution of an exploit

I saw someone on /g/ claim to have pulled 300k+ youtube user cookies doing this. The bad thing is your YT account is usually tied to gmail now. Scary... glad I had noscript on.

Re:Evolution of an exploit

[baka_toroi]

So you'd rather have phishers/scammers fuck you over than a silly joke?

Re:Evolution of an exploit

[nurb432]

Trolling is just a distraction from the real meat.

Re:Evolution of an exploit

[hattig]

Hmm, I remember that, I remember embedded Freshmeat as an embedded iframe thing into a Slashdot post at the time...

I don't think I could do that off the top of my head anymore. But my cooking skills have improved!

Re:Evolution of an exploit

[Cyberllama]

Youtube is on Noscript's whitelist by default.

Re:Evolution of an exploit

[alexo]

There is something to be said for BB Code.

Re:Evolution of an exploit

[icebraining]

Then you should contact him to update the FAQ, because it says nothing about Youtube.

Re:Evolution of an exploit

[Cyberllama]

That's odd. Perhaps it was on the whitelist when I installed it (well over a year ago) but isn't anymore. I recall it being whitelisted by default then, but I suppose I could be crazy.

Re:Evolution of an exploit

[mzs]

I think the parent confused yahoo and youtube simply.

An update

[Virak]

They actually got it fixed a bit after I submitted this story. A shame, lemonparty was a big step up from the usual level of discussion on YouTube videos. More seriously, I'm interested in finding out exactly what happened here. Hopefully Google will post some sort of explanation. YouTube is a massive site and it's somewhat bizarre seeing them make the sort of mistake you'd expect from something put together by a drooling moron with nothing but a "How to learn PHP in 24 hours!" book.

Re:An update

[mikael_j]

Yes, this does seem like the kind of bug I'd expect halfway competent dev to take into consideration when building a site. A very simple fix is to translate all < and > characters to the & lt; and & gt; versions instead, AFAIK youtube doesn't even allow HTML in comments anyway...

Re:An update

[MalHavoc]

I'd also be interested in knowing if this bug had been an issue for a long time. It seems like the sort of exploit that would have been very quickly discovered. I'm not a big YouTube comment reader, but I've noticed some interface/UI tweaks to the way comments can be thumbed up/down in recent weeks. Perhaps this crept in as a result of those.

They hid all comments...

[Inf0phreak]

wait for it... wait for it... And nothing of value was lost!

Re:They hid all comments...

[Yvanhoe]

The day youtube implements a slashcode moderation system, internet will awake to global consciousness...

Re:They hid all comments...

[hankwang]

Obligatory: http://xkcd.com/202/

Re:They hid all comments...

[Kreigaffe]

at least most of the youtube comments are most likely made after the video has been viewed. they sorta have a leg up on slashdot there.

ps: no i didn't read the article

Re:They hid all comments...

[GameboyRMH]

It looks like the Arachnotron from Doom 2, but with a giant butt instead of a giant brain. A much scarier monster. I'd hate to see its goatse attack x_x

Really?

[Dremth]

Wow. You'd think somebody would've figured out something like this a long time ago.

Re:Really?

[Scrameustache]

Wow. You'd think somebody would've figured out something like this a long time ago.

But since merely gazing at youTube comments lowers your IQ by at least 20 points, I'm actually amazed someone found it. Must have used some of kind of proxy who looked at it, got dumber for it, but managed to pass along the code to someone who could look at it without being exposed to the dumb.

It happened to Slashdot years ago.

Someone used an > to fool the tag parser and did recurring alert boxes and also redirects to Goatse. It's quite a common problem, as illustrated by Bobby Tables.

The very definition of Youtube

Lots of people anonymously "injecting" a bunch of crap into a website for all others to see.

This exploit is just an alternative to the original "Upload Video" button.

I'd love to see the Comments removed period

A lot of the comments are just troll BS. Most people log on for videos not to read the ramblings of basement dwelling trolls. I try to ignore them but they can be really obnoxious. I don't post on Youtube but I have had things pirated and posted just so they could make obnoxious comments. The work posted was just previs stuff that was just done for editing slugs but it was presented as finished work. It caused some trouble with a client so I got a lot more careful about letting development work out there. It's just sad a handful have to spoil things for everyone else. I used to post a lot of development work on my web site but I stopped completely. Trolls are like the people that talk and answer phone calls and take infants to movies. They really spoil the experience for the rest of us. I say if the comments can't be a constructive outlet then remove them and get rid of that security hole completely. The other option for security would be removing the HTML and go pure text. It's nice having HTML input but you don't really need the formatting for comments and it's always going to be a source of potential holes.

Re:I'd love to see the Comments removed period

[grumbel]

A lot of the comments are just troll BS.

Yes, but I blame the comment system for that. A comment system that doesn't allow links, doesn't allow more then a handful of characters, is a complete usability nightmare when you want to browse more then the last ten comments, doesn't allow search and doesn't support threads or replies properly is just useless when you actually want to write something insightful. A comment system should encourage informative posts, not make them impossible like the Youtube system does.

The latest changes that the highest rated comments and comments from the video upload appear on top have helped a bit to cleanup the mess, but its still far away from being a comment system where people actually can have a meaningful discussion.

Re:I'd love to see the Comments removed period

[Thantik]

On top of that they need to implement some sort of penalty system for people who regularly post things that are downvoted. If out of 10 posts, the amount of downvotes you've gotten is higher than 80% then implement a week long "cool-off" period in which it resets to 0

Re:I'd love to see the Comments removed period

[Dr+Herbert+West]

Really? You put client-facing work on YouTube? Ouch.

If you don't want to spare the bandwidth on your own site (how much data are you pushing, anyway?) then try Vimeo. Cleaner, better optimization, has private (need a password) channels, offers a "pro" service where you get unlimited uploads, etc.

It's mainly used by video artists, tech demos, etc.

Re:I'd love to see the Comments removed period

[Lije+Baley]

Yes, if only they had a more sophisticated comment system, then the level of discourse would be closer to that of Slashdot or /b/.

Why natural language needs grouping symbols

a "How to learn PHP in 24 hours!" book

Does that mean:

1. It teaches you, over the course of an unspecified period of time, how to learn PHP in 24 hours?
2. It teaches you, over the course of 24 hours, how to learn PHP? or
3. After 24 hours have elapsed, it teaches you how to learn PHP?

Note that it doesn't actually teach you PHP. It just teaches you how to learn it.

Re:Why natural language needs grouping symbols

[JamesP]

Actually, it teaches you PHP if you're on the cast of '24 hours'

Re:Why natural language needs grouping symbols

[maxwell+demon]

No, it tells you how you learn the lesser-known language named "PHP in 24 hours" which differs from normal PHP in that the scripts always take 24 hours to run.

Re:Why natural language needs grouping symbols

[weicco]

I can't wait 24 hours! Got to get 12 hour book...

Re:Why natural language needs grouping symbols

[roman_mir]

It does no such thing, that book talks about a guy I know, who is about to learn PHP. The guy's name is How, yes all my friends are like that.

Re:Why natural language needs grouping symbols

[CODiNE]

I've seen the book, option 3 is the correct answer.

It's 1,440 pages of "Wait one minute, then turn the page" which sadly forces one into an inescapable loop for 24 hours. After one has starved, missed sleep and soiled oneself through this excruciating 24 hour period the last page says only this:

Buy the book titled 'This book teaches you PHP'.

I was thoroughly disappointed.

Re:Why natural language needs grouping symbols

[tomhudson]

I'm in Canada - we're on METRIC time, you insensitive clod! 100 seconds per minute, 100 minutes per hour, 10 hours per day!

Re:Why natural language needs grouping symbols

[noidentity]

Note that it doesn't actually teach you PHP. It just teaches you how to learn it.

Does this mean that you learn how to teach it?

Re:Why natural language needs grouping symbols

[osu-neko]

No, it tells you how you learn the lesser-known language named "PHP in 24 hours" which differs from normal PHP in that the scripts always take 24 hours to run.

An optimized version, then? ;)

Re:Why natural language needs grouping symbols

That's DECIMAL time, not metric time.

SI units only define second, so there is 1 second, 1 kilo-second, 1 mega-second, 1 giga-second, etc...

http://en.wikipedia.org/wiki/Decimal_time
http://en.wikipedia.org/wiki/Metric_time

If you look in the first link, you'll notice that 1 decimal-second = 0.864s

Re:Why natural language needs grouping symbols

[Kreigaffe]

The first time I hear anyone ever fucking utter the word "Kibisecond" I'm just going to shoot them in the face. There's no other choice.

Re:Why natural language needs grouping symbols

[safetyinnumbers]

No, it tells you how you learn the lesser-known language named "PHP in 24 hours" which differs from normal PHP in that the scripts always take 24 hours to run.

Well that's the Halting Problem sorted then. Faster cgi scripts - not so much.

Re:Why natural language needs grouping symbols

How many Lojbanists does it take to change a broken light bulb? ...

Two: one to figure out what to change it into, and one to figure out what kind of bulb emits broken light.

Re:Why natural language needs grouping symbols

[mpeskett]

If I ever need to refer to 1024 seconds, I'll be sure to do so when you're not around.

Re:Why natural language needs grouping symbols

[tom17]

They are a bit late, its all x.org now.

Re:Why natural language needs grouping symbols

[mjwx]

If I ever need to refer to 1024 seconds, I'll be sure to do so when you're not around.

Dont worry, he'll be back in a kibisecond.

Re:Why natural language needs grouping symbols

[L4t3r4lu5]

Self-fulfilling prophecy?

It's been nice knowing you.

Exploits

[REggert]

I wonder how many times this vulnerability was used to deliver malware.

tags, quoting and XSS

[Gopal.V]

If I had to guess, I think it's a variant of an attack I've seen before.

Re: tags, quoting and XSS

[Peach+Rings]

Ah the intricacies of the Firefox codebase.

Someone needs to lose their job over this

[l0ungeb0y]

What idiot doesn't check user input with at least a regex replace to look for offending tags in fields *YOU KNOW* will be rendered by an HTML interpreter (browser)?
Languages like PHP even have built-in routines that will strip out all HTML tags except for safe one you specify, it's been a few years, but I believe it's called htmlSafeTags(string, array of safe tags).

This isn't a simple mistake, it's a sign of pure incompetence since the developer put no forethought into the uses of the tool he was developing and blindly trusted user input from a textarea. User input is dirty, dirty dirty and any developer who does not clean and sanitize it before consuming it is not doing his/her job.

Re:Someone needs to lose their job over this

[Krahar]

This isn't a simple mistake, it's a sign of pure incompetence since the developer put no forethought into the uses of the tool he was developing and blindly trusted user input from a textarea. User input is dirty, dirty dirty and any developer who does not clean and sanitize it before consuming it is not doing his/her job.

The summary states that the first script tag was escaped as it should be. It was a bug, not a lack of foresight.

Re:Someone needs to lose their job over this

[Sigma+7]

What idiot doesn't check user input with at least a regex replace to look for offending tags in fields *YOU KNOW* will be rendered by an HTML interpreter (browser)?

http://thedailywtf.com/articles/injection-proofd.aspx

Reactive regexing offending tags such as "script", "object" or "embed" don't work if you don't know they exist. As such, it's easier to simply include functions in the programming language API that escape/unescape strings sent in through user input so that junk like that doesn't get echoed into something hazardous.

Re:Someone needs to lose their job over this

[lgw]

YouTube doesn't support HTML in comments, so someone got too clever for their own good.

Here's a simple solution to avoid all this sort of BS forever: reject any comment with the < or & characters in it. Done. Why do extra work to create security holes?

Re:Someone needs to lose their job over this

[christopherfinke]

reject any comment with the < or & characters in it.

What if you want to comment about AT&T or write a mathematical equation stating that x < y.

Users should be able to enter anything they want; htmlspecialchars() and nl2br() ensure that it will be displayed exactly as they entered it.

Re:Someone needs to lose their job over this

[LordSnooty]

Freedom of speech? You'll take my ampersand from my cold, dead hands.

Re:Someone needs to lose their job over this

[The+MAZZTer]

Sounds like someone forgot the global flag on their regex.

Re:Someone needs to lose their job over this

[soliptic]

idiot ... check user input with ... a regex

ahem.

Re:Someone needs to lose their job over this

[sourcerror]

If there's a script tag in a comment, it's obviously malicious, so it shouldn't have appeared after all. (You know, telling the submitter that it's malformed.)

Re:Someone needs to lose their job over this

[Krahar]

If you are watching a video about doing something in HTML and Javascript, then I'd expect that the comments could have quite a few script tags in them that the submitters fully expect to be displayed without malicious intent.

Re:Someone needs to lose their job over this

[lgw]

Have you read Youtube comments? Clearly not, or you wouldn't be going on about mathematical equations. All of the common insults popular amoung school childer are possible without special characters, so it would be fine - you barely need capital letters.

Re:Someone needs to lose their job over this

[thejynxed]

Or better yet, don't allow scriptable elements/strings in the user input period. A general purpose video site does not need or require fancy formatting or scripting elements in comments.

Plain text. It works folks.

Interest pondering the how and why of such fails

[DRJR]

I find it interesting pondering the how and why these things fail-- the insight into how the code must have been put together to fail on a particular input.

My initial guess for this one would be that they escape html and scripts separately-- scripts do not need greater than, less than, and ampersand escaped-- and that detecting the keyword 'script' switched modes from html to script. The fact that the first script tag is properly html-escaped suggests that while it was properly detected, the code to switch between html and script modes did not take this detection into account and switched anyway. I'm going to further guess that this do to some support code meant for the programmers' side inadvertently managed to cross over into user land.

My two cents.
--Dave Romig, Jr.

... if you want to keep it

[xororand]

Get the YouTube Comment Snob addon for Firefox.

YouTube Comment Snob filters out undesirable comments from YouTube comment threads. You can choose to have any of the following rules mark a comment for removal:

* More than # spelling mistakes: The number of mistakes is customizable, and the extension uses Firefox's built-in spell checker.
* All capital letters
* No capital letters
* Doesn't start with a capital letter
* Excessive punctuation (!!!! ????)
* Excessive capitalization
* Profanity

Re:... if you want to keep it

[Rallion]

*Reads list of filtering options*

So does it just hide the whole comment section, or show it as being empty?

Re:... if you want to keep it

[ObsessiveMathsFreak]

You mean, people actually read Youtube comments enough to warrant this addon?

Re:... if you want to keep it

[trajanus22]

Won't this have the same effect as turning the comments off?

Re:... if you want to keep it

[christopherfinke]

You can turn this option off, or you can specify the language of the dictionary you want to use for spell-checking.

Re:... if you want to keep it

Did anyone else read that list as:

* All capital letters
* ????
* Profanity

Massive rickroll?

[mwvdlee]

If they didn't redirect ALL videos to a Rick Astley video, they have missed the opportunity of a lifetime.

Re:Massive rickroll?

[Dachannien]

I wanted to watch a Rick Astley video, but it redirected me to another Rick Astley video.

Re:Massive rickroll?

[DMiax]

Not very original, since it was the april fool from youtube itself a few years ago.

Re:Interest pondering the how and why of such fail

[mwvdlee]

Why would they have a distinction between a HTML and a script mode on comments? Is there any reason you'd ever want a comment to contain a script?

Is it Christmas already?

[dswensen]

Comments turned off by default? Great! Any chance they can make that permanent?

Re:Is it Christmas already?

[Max+Romantschuk]

The comments never bothered me. I simply don't read them.

Re:Is it Christmas already?

[Wingnut64]

Any chance they can make that permanent?

Use Addblock Plus and add the following element hiding rules:

##div#watch-discussion
##div.watch-comment-entry

Re:Is it Christmas already?

[osu-neko]

The comments never bothered me. I simply don't read them.

This sounds good in theory. In practice, people who read a lot generally cannot help but successfully read entire sentences in their peripheral vision. Nothing short of removing the text from my visual field will prevent the meaning of the words from becoming instantly lodged in my brain the moment they appear anywhere visible.

Re:Is it Christmas already?

[corychristison]

Use Addblock Plus

I was not aware there was a version of Adblock Plus for those of us with A.D.D.!

Spaghetti cat!

Re:Is it Christmas already?

[moonbender]

I'm sure there's a Greasemonkey script that removes the comments. Hell, a user CSS hack would probably do it.

Re:Is it Christmas already?

[Max+Romantschuk]

This sounds good in theory. In practice, people who read a lot generally cannot help but successfully read entire sentences in their peripheral vision. Nothing short of removing the text from my visual field will prevent the meaning of the words from becoming instantly lodged in my brain the moment they appear anywhere visible.

You're an accomplished speed reader.

I read _a lot_ myself, but never learned the skill to read anything other than what I focus on for the most part. Simply reading a lot doesn't automatically grant you the skill to be able to read like you do. You likely have a genetic advantage... Or perhaps disadvantage, in this particular case. ;)

Re:Interest pondering the how and why of such fail

[linguizic]

Exactly, why not just escape the whole thing? Or if you're even more paranoid, why not just strip the script tags and everything in between? That being said, the fact that this exploit exists in the first place shows that they're not doing either one of those things.

Trolling as a method to expidite bug fixes?

[twidarkling]

Since this was turned in to a massive, YouTube-wide trolling effort, it's being fixed nearly immediately. What if 4chan hadn't gotten a hold of it though? What if some scammers/spammers did? And used it for weeks? It would have been more subtle, and with YouTube's traffic, it could have been massively successful. Who knows what effect that could have had if this wasn't caught quickly. Did 4chan just do a good thing?

Re:Trolling as a method to expidite bug fixes?

For some reason, you're assuming it wasn't used by scammers, and that it wasn't known for more than a few hours.

Re:Trolling as a method to expidite bug fixes?

[twidarkling]

Fine, assume it was. If this hadn't happened, how much *longer* would it have gone on. My main point still stands, trolling expedited the bug fix.

Re:Trolling as a method to expidite bug fixes?

Probably not long. Google isn't known for complacency, and popular web services in general react quickly. Except for Facebook, anyway.

If it wasn't known, then it might have been undetected for weeks. But until Google says otherwise, we can't know that this wasn't already the case.

Re:Trolling as a method to expidite bug fixes?

Probably. I know some people on 4chan /g/ though, hours before this hit slashdot, were bragging about getting people's youtube/gmail session cookies via an XSS attack through this exploit, then logging into their gmail accounts, looking for other account information to figure out the gmail password, as most people use the same password for everything (it's not so simple to simply reset the gmail password, as you need to re-enter in the current password again, having just the session cookie isn't enough). I'm sure a sizable portion of people had their email accounts hijacked.

Who knows how long that has been going on.

Re:Trolling as a method to expidite bug fixes?

[phoenix321]

"What if 4chan hadn't gotten a hold of it though? What if some scammers/spammers did?"

What tells you they didn't?

Re:Trolling as a method to expidite bug fixes?

[dkf]

But until Google says otherwise, we can't know that this wasn't already the case.

Fortunately, they already have all the data with potential exploits and are reasonably well known for their ability to search for things. Depending on how things are stored, it even might be as simple as doing a first-cut by looking for an unescaped < character.

Re:Trolling as a method to expidite bug fixes?

[mxs]

You assume, of course, that this bug is recent, 4chan was the first to discover it, and that there hasn't been any subtile, massively successful abuse for weeks.

Re:Trolling as a method to expidite bug fixes?

[JustinRLynn]

4Chan did an obviously bad thing in comparison to someone doing a very bad thing in an insidious fashion. I'd compare it to solving the problem of urban decay through nuking the whole place... You have to do it from orbit, just to be sure.

Server vs. Client?

[Kaenneth]

How much of this kind of problem is caused by the standard behavior of browsers to make a 'best guess' at interpreting 'bad' HTML, since the parsing rules are very lax compared to XML?

Should unmatched tags cause the browser to stop and say 'Parsing Error, Invalid HTML'? (or whatever user-friendly message the browser author writes)

'cause I could totally imagine someone, somewhere writing a browser that sees '&lt's and auto-re-encodes them, then does it's tag parsing.

Back around 1998 I worked for a company that made e-commerce sites as their first tester for less than a month. The first bug I found was that a new user could insert script tags in their username (any field, really), my employers response was "Why would anyone want to hack a website?"... I wouldn't drop the issue, so they dropped me.

Re:Server vs. Client?

[PatPending]

The first bug I found was that a new user could insert script tags in their username (any field, really), my employers response was "Why would anyone want to hack a website?"... I wouldn't drop the issue, so they dropped me.

Did you then DROP their tables?

as usual, xkcd has this covered:

[http]

http://www.xkcd.org/481/

Take inspiration

[Robotron23]

Get inspired from places with mature attitudes on drug abuse; those with safe injecting sites.

Youtube feels like a drug to me at times...I'd elaborate on this viewpoint but a vid of a cat and a dog chasing their own tails at the same time interests me more.

I'm just worried about...

[dandart]

someone stealing my cookies. They're MY cookies. -_-

The Safari Shut Up extension

[bonch]

Shut Up is a Safari extension that removes the comment sections from several popular websites. Enjoy less bullshit in your web browsing.

doesn't work anymore

[xororand]

I haven't actually tried Comment Snob addon in some time and it seems that it hasn't been updated to work with the latest changes on YouTube. Maybe someone with a little free time has the passion to fix it.

Re:doesn't work anymore

[christopherfinke]

I'm the author, and I uploaded a new version that works with the latest YouTube design a few days ago. It's just pending approval by Mozilla.

Re:doesn't work anymore

[Doctor_Jest]

Thanks for the update! I was scratching my head until I realized there was a "redesign" on the part of Youtube. :)

Keep It Simple

[DrYak]

Nice, long and contrived explanation.

Much more likely they forgot to set the correct parameter to have ALL the occurrence replaced instead of the left-most longest occurrence.
(for example, they forgot to put a "g" after the RegExp)

Re:Keep It Simple

[DRJR]

Sadly, something like that-- using the wrong regular expression-- would be the simple example at most places I've worked. I've often found the cause of some bugs to convoluted to the point of being baffling. I've seen a commercial PHP script that used an if-then statement with dozens of branches that each did nothing more that included a single file, nested, and then did it again. The final include files were almost identical except the name of the product to be displayed and its description. I was to add a product to that mess. I was mystified as to how someone thought _that_ was a good idea. Well, I got permission and rewrote it into a database lookup in maybe 15 minutes. Adding new products afterwards was certainly easier.

Interesting thought about the missing global flag, though. Considering it appeared to replace all occurrences except in that one case, I'm leaning away from that. I guess there could have been multiple expressions in play where one was missing a flag, but I cannot think of a reason off hand why someone would want to do that.

You did get me thinking though-- as I once wrote a parser in PHP using PERL Regular Expressions just for kicks-- how easy it is to blow the backtrack limit or the recursion limit when using recursion to properly handle more than one state. Once only subpatterns (either via adding + after + or . or via (?>) ) ultimately kept things under control (and was good for speed too), but I did not add them until my expression was confirmed working properly. During my first test run to verify the expression, I blew the backtrack limit which caused the expressions to silently stop replacing the string and return the rest of it unchanged. A separate call (which wasn't added to the final version) is required to detect the error although it quickly became obvious what had happened. The error patterns are similar. However, a complex pattern would be required to cause it. Again that could be caused by the wrong pattern, a programmer's test pattern instead of the one intended for the user.

Obviously I don't know the answer any more than anyone else does (save those at Google/youTube). I speculate for fun because its interesting and it keeps me thinking-- which always comes in handy at debug time.

Thanks for the alternate viewpoint.
--Dave Romig, Jr.

Regarding the Zoho topic this is ironic

[thetoadwarrior]

We only just had a big debate over whether going to university makes you a better coder or not in the Zoho topic. http://news.slashdot.org/story/10/07/01/208222/Zoho-Dont-Need-No-Stinking-PhD-Programmers

In there Google and their army of PhDs was mentioned as proof that a degree really matters.

It appears even with a PhD you're still susceptible to making school boy errors. Zoho can make these sorts of errors for much less by hiring kids straight out of high school. :P

Re:Regarding the Zoho topic this is ironic

[Jane+Q.+Public]

The fact that educated people make mistakes is not equivalent to whether uneducated people can make educated programming decisions.

Outside of school, do you really think someone will pick up on the math and other concepts necessary to, for just one example, calculate the Big-O of a part of their program? Or understand why they should?

Re:Regarding the Zoho topic this is ironic

[MillionthMonkey]

Outside of school, do you really think someone will pick up on the math and other concepts necessary to, for just one example, calculate the Big-O of a part of their program?

Sure, why not? I found it to be O(1).

Re:Regarding the Zoho topic this is ironic

[thetoadwarrior]

Yes I do think they can. The fact is they can get the same books that uni students use. They lack thw professor but between the books and internet I don't think it is a big deal.

The other thing to keep in mind is that it wasn't a serious comment so no need to get sand in your pussy.

Re:Regarding the Zoho topic this is ironic

[Jane+Q.+Public]

Sure they can. I don't dispute that. My question is, how many of them will? My guess -- and I think it's a good guess -- is pretty damned few.

So - I don't care

[tuomoks]

It's only bad design / coding / development - who cares! It happens all the time and will happen as long as the subpar designs / development / coding is allowed. Mostly I would blame the design of these systems - it's very difficult to (safely) implement anything which is already broken, as most of the systems today! Or - if you don't agree, list the systems that haven't been broken one time or other? Or - which will not be broken in future?

Seriously - after fighting long enough years for safe and secure design, I honestly don't understand these? It has been 100% - really hundred percent - every time a problem with design for no other reason except ignorance, greed, lack of experience, whatever - but anyway something you would have got fired earlier! Now - blame others, blame a product, blame a vendor, blame a hacker, etc - give me a break!

Re:Interest pondering the how and why of such fail

[DRJR]

Agreed. I think that's what they were trying to do, but it failed. Another poster reminded me of a particular way PERL Regular Expressions can fail in PHP that would an escaping half-processed in this manner.

You have to wonder, though, most languages designed for web pages already have an optimized function for this type of escaping. Why not use it? Either they are trying to be clever or they reinvented the function in an incomplete way.

Maybe if the paranoia level it low, they'll announce what it was when its fixed.
--Dave Romig, Jr.

Not all comments turned off.

[formfeed]

Actually, all youtube-comments marked "insightful" were still readable...

What I learned from this story

[SmallFurryCreature]

What I learned from this story:

That goatse.cx is very old news and that there are whole new horrors I never even heard of.

Someone must be looking out for me.

You know you are living a blessed life when you got no idea what 1man1jar or lemon party is. Reminds me of being a little kid and having no idea what the adults were talking about. Only this time I know the value of ignorance.

Let me see. 1 man 1 jar, must be about a man collecting pennies to buy a gift for his mother.

Lemon party? Sweet lemonade for a hot summer day? Sounds fun.

2girls1cup? Two girls riding the magic cup at disney?

Please, don't correct me. Ignorance is bliss.

Re:What I learned from this story

[GameboyRMH]

Isn't it funny that in ye olden days of the interwebs hello.jpg was the worst thing out there...and now it hardly qualifies as shock material. Just a dude stretching a natural orifice with his boring ol' hands, yawn. Imagine what will be considered serious shock material 10 years from now...or don't.

1 Man 1 Jar? Big deal.

[GameboyRMH]

1 Man 1 Jar is in the same league as 2 Girls 1 Cup or Mr. Hands. Not up in the same league with the Ukrainian snuff videos, benzin.avi or terrorist beheading videos, and certainly not the "hardest you've ever seen" unless you're new to the Internet.

That said a man stuffing a jar up his ass and having it break is still not something you want to see.