YouTube Hit By HTML Injection Vulnerability

← Back to Stories (view on slashdot.org)

YouTube Hit By HTML Injection Vulnerability

Posted by Soulskill on Sunday July 4, 2010 @04:35AM from the enjoy-the-holiday-google dept.

Virak writes "Several hours ago, someone found an HTML injection vulnerability in YouTube's comment system, and since then sites such as 4chan have had a field day with popular videos. The bug is triggered by placing a <script> tag at the beginning of a post. The tag itself is escaped, but everything following it is cheerfully placed in the page as is. Blacked out pages with giant red text scrolling across them, shock site redirects, and all sorts of other fun things have been spotted. YouTube has currently blocked such comments from being posted and set the comments section to be hidden by default, and appears to be in the process of removing some of these comments, but the underlying bug does not seem to have been fixed yet."

50 of 224 comments (clear)

Series of tubes... by ae1294 · 2010-07-04 04:39 · Score: 5, Funny

All of your tubes are belonging to US now.
1. Re:Series of tubes... by KevMar · 2010-07-04 04:42 · Score: 5, Funny
  
  Somebody set up us the script bomb
  
  --
  Im a gamer, not a grammer major. This post is full of spelling and grammer mistakes.
2. Re:Series of tubes... by Anonymous Coward · 2010-07-04 05:00 · Score: 3, Insightful
  
  Really? They're really only removing some of them? When they can just do a simple delete query and wipe everythin with a properly escaped script tag at the top of the comment? Wow. Just wow.
  The solution to this is for users to be asked if they want to participate in commented sections when signing up. Not just at youtube, but everywhere. And probably not just comments, but any user input area.
3. Re:Series of tubes... by Stalks · 2010-07-04 05:37 · Score: 2, Informative
  
  Don't you mean...
  "Somebody script up us the bomb"
4. Re:Series of tubes... by ae1294 · 2010-07-04 05:52 · Score: 4, Funny
  
  Really? They're really only removing some of them? When they can just do a simple delete query and wipe everythin with a properly escaped script tag at the top of the comment? Wow. Just wow.
  Shhh.... one word... overtime pay.
5. Re:Series of tubes... by daremonai · 2010-07-04 06:04 · Score: 5, Funny
  
  That was actually two words ... Oh no, now we owe you overtime. Sneaky.
6. Re:Series of tubes... by XnavxeMiyyep · 2010-07-04 11:16 · Score: 4, Insightful
  
  Well, look at the bright side!
  
  YouTube has currently .... set the comments section to be hidden by default
  This is the greatest possible improvement to YouTube short of removing the comments section entirely.
  
  --
  I put the 't' in electrical engineering.
I experienced this! by Anonymous Coward · 2010-07-04 04:40 · Score: 5, Funny

I went to youtube, but all I saw was crap material. Someone had injected a bunch of crap!
Evolution of an exploit by Anonymous Coward · 2010-07-04 04:44 · Score: 5, Informative

The evolution of this bug exploit was quite interesting to follow up close.
At first it simply prevented any further comments to be posted.
Then text was added.
Then the text was scrolling.
Suddenly, the entire page was blacked out except for the added text.
And that's when the more technical minded people realized much much more was possible.
Bam! Popups!
Infinite popups that lead to browser crashes!
Page redirects to shock sites!
The most sophisticated version I saw actually replaced the Youtube video in-place with the 1man1jar video..
And when the exploit was blocked in the comments, it had a small resurgence as video reply title, before being smacked down once more.
Glorious.
1. Re:Evolution of an exploit by larry+bagina · 2010-07-04 05:32 · Score: 5, Interesting
  
  Reminds me of the slashdot <a onhover=".."> bug. It was a while back (2000-2002 era?) but inline javascript wasn't filtered from a tags. The first exploit (that I saw, anyhow) simply used DHTML (as it was then known) to add (paraphrasing) "I can't believe this hasn't been fixed" to the post. (which took about 5 minutes given the speed of computers, javascript, and dom manipulation). About 30 seconds later, redirects to porn, last measure, etc appeared. Slashdot's initial response was to mod them down to -5 and then deleting them.
  
  --
  Do you even lift?
  These aren't the 'roids you're looking for.
2. Re:Evolution of an exploit by wmbetts · 2010-07-04 05:37 · Score: 4, Insightful
  
  I'm really surprised it used for trolling rather than making money. That seems like a phishers wet dream.
  
  --
  "Ubuntu" -- an African word, meaning "Slackware is too hard for me". - stolen from Dan C alt.os.linux.slackware
3. Re:Evolution of an exploit by Anonymous Coward · 2010-07-04 06:14 · Score: 4, Interesting
  
  I saw someone on /g/ claim to have pulled 300k+ youtube user cookies doing this. The bad thing is your YT account is usually tied to gmail now. Scary... glad I had noscript on.
4. Re:Evolution of an exploit by hattig · 2010-07-04 10:21 · Score: 2
  
  Hmm, I remember that, I remember embedded Freshmeat as an embedded iframe thing into a Slashdot post at the time...
  I don't think I could do that off the top of my head anymore. But my cooking skills have improved!
An update by Virak · 2010-07-04 04:44 · Score: 5, Informative

They actually got it fixed a bit after I submitted this story. A shame, lemonparty was a big step up from the usual level of discussion on YouTube videos. More seriously, I'm interested in finding out exactly what happened here. Hopefully Google will post some sort of explanation. YouTube is a massive site and it's somewhat bizarre seeing them make the sort of mistake you'd expect from something put together by a drooling moron with nothing but a "How to learn PHP in 24 hours!" book.
1. Re:An update by MalHavoc · 2010-07-04 09:02 · Score: 2, Interesting
  
  I'd also be interested in knowing if this bug had been an issue for a long time. It seems like the sort of exploit that would have been very quickly discovered. I'm not a big YouTube comment reader, but I've noticed some interface/UI tweaks to the way comments can be thumbed up/down in recent weeks. Perhaps this crept in as a result of those.
Re:Ha ha by bsDaemon · 2010-07-04 04:44 · Score: 5, Funny

Based on the typical YouTube comment (or video, for that matter), I already hard sort of expected that to be the case.
They hid all comments... by Inf0phreak · 2010-07-04 04:46 · Score: 5, Insightful

wait for it... wait for it... And nothing of value was lost!

--
________
Entranced by anime since late summer 2001 and loving it ^_^
Really? by Dremth · 2010-07-04 04:48 · Score: 2, Interesting

Wow. You'd think somebody would've figured out something like this a long time ago.
1. Re:Really? by Scrameustache · 2010-07-04 05:03 · Score: 4, Insightful
  
  Wow. You'd think somebody would've figured out something like this a long time ago.
  But since merely gazing at youTube comments lowers your IQ by at least 20 points, I'm actually amazed someone found it. Must have used some of kind of proxy who looked at it, got dumber for it, but managed to pass along the code to someone who could look at it without being exposed to the dumb.
  
  --
  You can't take the sky from me...
The very definition of Youtube by Anonymous Coward · 2010-07-04 04:52 · Score: 5, Funny

Lots of people anonymously "injecting" a bunch of crap into a website for all others to see.

This exploit is just an alternative to the original "Upload Video" button.
I'd love to see the Comments removed period by Anonymous Coward · 2010-07-04 04:54 · Score: 2, Interesting

A lot of the comments are just troll BS. Most people log on for videos not to read the ramblings of basement dwelling trolls. I try to ignore them but they can be really obnoxious. I don't post on Youtube but I have had things pirated and posted just so they could make obnoxious comments. The work posted was just previs stuff that was just done for editing slugs but it was presented as finished work. It caused some trouble with a client so I got a lot more careful about letting development work out there. It's just sad a handful have to spoil things for everyone else. I used to post a lot of development work on my web site but I stopped completely. Trolls are like the people that talk and answer phone calls and take infants to movies. They really spoil the experience for the rest of us. I say if the comments can't be a constructive outlet then remove them and get rid of that security hole completely. The other option for security would be removing the HTML and go pure text. It's nice having HTML input but you don't really need the formatting for comments and it's always going to be a source of potential holes.
1. Re:I'd love to see the Comments removed period by grumbel · 2010-07-04 05:18 · Score: 4, Interesting
  
  A lot of the comments are just troll BS.
  Yes, but I blame the comment system for that. A comment system that doesn't allow links, doesn't allow more then a handful of characters, is a complete usability nightmare when you want to browse more then the last ten comments, doesn't allow search and doesn't support threads or replies properly is just useless when you actually want to write something insightful. A comment system should encourage informative posts, not make them impossible like the Youtube system does.
  The latest changes that the highest rated comments and comments from the video upload appear on top have helped a bit to cleanup the mess, but its still far away from being a comment system where people actually can have a meaningful discussion.
2. Re:I'd love to see the Comments removed period by Thantik · 2010-07-04 08:08 · Score: 2, Interesting
  
  On top of that they need to implement some sort of penalty system for people who regularly post things that are downvoted. If out of 10 posts, the amount of downvotes you've gotten is higher than 80% then implement a week long "cool-off" period in which it resets to 0
3. Re:I'd love to see the Comments removed period by Dr+Herbert+West · 2010-07-04 08:22 · Score: 3, Informative
  
  Really? You put client-facing work on YouTube? Ouch.
  
  If you don't want to spare the bandwidth on your own site (how much data are you pushing, anyway?) then try Vimeo. Cleaner, better optimization, has private (need a password) channels, offers a "pro" service where you get unlimited uploads, etc.
  
  It's mainly used by video artists, tech demos, etc.
Why natural language needs grouping symbols by Anonymous Coward · 2010-07-04 04:54 · Score: 5, Funny

a "How to learn PHP in 24 hours!" book
Does that mean:
1. It teaches you, over the course of an unspecified period of time, how to learn PHP in 24 hours?
2. It teaches you, over the course of 24 hours, how to learn PHP? or
3. After 24 hours have elapsed, it teaches you how to learn PHP?
Note that it doesn't actually teach you PHP. It just teaches you how to learn it.
1. Re:Why natural language needs grouping symbols by maxwell+demon · 2010-07-04 05:29 · Score: 3, Funny
  
  No, it tells you how you learn the lesser-known language named "PHP in 24 hours" which differs from normal PHP in that the scripts always take 24 hours to run.
  
  --
  The Tao of math: The numbers you can count are not the real numbers.
2. Re:Why natural language needs grouping symbols by weicco · 2010-07-04 05:45 · Score: 2, Funny
  
  I can't wait 24 hours! Got to get 12 hour book...
  
  --
  You don't know what you don't know.
3. Re:Why natural language needs grouping symbols by CODiNE · 2010-07-04 06:19 · Score: 2, Funny
  
  I've seen the book, option 3 is the correct answer.
  It's 1,440 pages of "Wait one minute, then turn the page" which sadly forces one into an inescapable loop for 24 hours. After one has starved, missed sleep and soiled oneself through this excruciating 24 hour period the last page says only this:
  Buy the book titled 'This book teaches you PHP'.
  I was thoroughly disappointed.
  
  --
  Cwm, fjord-bank glyphs vext quiz
4. Re:Why natural language needs grouping symbols by osu-neko · 2010-07-04 06:46 · Score: 5, Funny
  
  No, it tells you how you learn the lesser-known language named "PHP in 24 hours" which differs from normal PHP in that the scripts always take 24 hours to run.
  An optimized version, then? ;)
  
  --
  "Convictions are more dangerous enemies of truth than lies."
5. Re:Why natural language needs grouping symbols by Kreigaffe · 2010-07-04 07:55 · Score: 4, Funny
  
  The first time I hear anyone ever fucking utter the word "Kibisecond" I'm just going to shoot them in the face. There's no other choice.
  
  --
  ... still waiting for this free-as-in-beer free beer I keep hearing about. :|
6. Re:Why natural language needs grouping symbols by Anonymous Coward · 2010-07-04 09:04 · Score: 2, Funny
  
  How many Lojbanists does it take to change a broken light bulb? ...
  Two: one to figure out what to change it into, and one to figure out what kind of bulb emits broken light.
7. Re:Why natural language needs grouping symbols by mjwx · 2010-07-04 15:17 · Score: 2, Funny
  
  If I ever need to refer to 1024 seconds, I'll be sure to do so when you're not around.
  Dont worry, he'll be back in a kibisecond.
  
  --
  Calling someone a "hater" only means you can not rationally rebut their argument.
8. Re:Why natural language needs grouping symbols by L4t3r4lu5 · 2010-07-04 19:51 · Score: 2, Insightful
  
  Self-fulfilling prophecy?
  
  It's been nice knowing you.
  
  --
  Finally had enough. Come see us over at https://soylentnews.org/
Re:Someone needs to lose their job over this by Krahar · 2010-07-04 05:23 · Score: 5, Informative

This isn't a simple mistake, it's a sign of pure incompetence since the developer put no forethought into the uses of the tool he was developing and blindly trusted user input from a textarea. User input is dirty, dirty dirty and any developer who does not clean and sanitize it before consuming it is not doing his/her job.
The summary states that the first script tag was escaped as it should be. It was a bug, not a lack of foresight.
Interest pondering the how and why of such fails by DRJR · 2010-07-04 05:25 · Score: 3, Interesting

I find it interesting pondering the how and why these things fail-- the insight into how the code must have been put together to fail on a particular input.
My initial guess for this one would be that they escape html and scripts separately-- scripts do not need greater than, less than, and ampersand escaped-- and that detecting the keyword 'script' switched modes from html to script. The fact that the first script tag is properly html-escaped suggests that while it was properly detected, the code to switch between html and script modes did not take this detection into account and switched anyway. I'm going to further guess that this do to some support code meant for the programmers' side inadvertently managed to cross over into user land.
My two cents.
--Dave Romig, Jr.
... if you want to keep it by xororand · 2010-07-04 05:28 · Score: 4, Informative

Get the YouTube Comment Snob addon for Firefox.

YouTube Comment Snob filters out undesirable comments from YouTube comment threads. You can choose to have any of the following rules mark a comment for removal:
* More than # spelling mistakes: The number of mistakes is customizable, and the extension uses Firefox's built-in spell checker.
* All capital letters
* No capital letters
* Doesn't start with a capital letter
* Excessive punctuation (!!!! ????)
* Excessive capitalization
* Profanity
1. Re:... if you want to keep it by Rallion · 2010-07-04 06:06 · Score: 4, Funny
  
  *Reads list of filtering options*
  So does it just hide the whole comment section, or show it as being empty?
Massive rickroll? by mwvdlee · 2010-07-04 05:38 · Score: 5, Funny

If they didn't redirect ALL videos to a Rick Astley video, they have missed the opportunity of a lifetime.

--
Slashdot social media options: AIM, ICQ, Yahoo, Jabber and Mobile Text. Why no MySpace?
Is it Christmas already? by dswensen · 2010-07-04 05:43 · Score: 4, Interesting

Comments turned off by default? Great! Any chance they can make that permanent?
1. Re:Is it Christmas already? by Max+Romantschuk · 2010-07-04 06:03 · Score: 2, Insightful
  
  The comments never bothered me. I simply don't read them.
  
  --
  .: Max Romantschuk :: http://max.romantschuk.fi/
2. Re:Is it Christmas already? by Wingnut64 · 2010-07-04 06:33 · Score: 4, Informative
  
  Any chance they can make that permanent?
  Use Addblock Plus and add the following element hiding rules:
  ##div#watch-discussion
  ##div.watch-comment-entry
  
  --
  echo 'Header append X-HD-DVD "0x09f911029d74e35bd84156c5635688c0"' >> /etc/apache2/httpd.conf
Re:Ha ha by SpeedyDX · 2010-07-04 06:02 · Score: 4, Funny

YouTube is supposed to be a kid-friendly place. Parents could do their best to try to responsibly monitor and guide their kids' surfing habits, but still fail because of this exploit. This is not funny, nor awesome. This is not someone finding a potential exploit and graciously letting Google know so they can patch it up. Just a bunch of 4channers screwing around, and to hell with the consequences. And people like you encouraging that type of behaviour.
Just because this is The Internet(TM), it doesn't mean that common courtesy need not apply.
Re:Ha ha by Anonymous Coward · 2010-07-04 06:06 · Score: 2, Informative

From what I've seen, there were not only simple insults and racist annoyances, but numerous redirects to the hardest shock site you've probably ever seen. That video makes 2girls1cup, benzin.avi and even the hardest war-porn look like family-friendly softcore entertainment in comparison. It has something to do with 1 man and 1 jar and I dare you to Google that if you have doubt this is emotionally scarring material.
Re:Ha ha by twidarkling · 2010-07-04 06:30 · Score: 4, Insightful

Physical age doesn't necessarily correspond to mental age. Personally, I've been getting more immature as years pass.

--
Canada: The US's more awesome sibling.
Re:htmlspecialchars() by Anonymous Coward · 2010-07-04 06:43 · Score: 2, Insightful

Indeed, which is why everyone but Perl programmers use library functions rather than writing their own regular expressions for working with markup. As a bonus you avoid little bugs like forgetting to escape '&', and it'll probably escape '"' and ''' as well so you can use it for attributes.
Trolling as a method to expidite bug fixes? by twidarkling · 2010-07-04 06:44 · Score: 5, Interesting

Since this was turned in to a massive, YouTube-wide trolling effort, it's being fixed nearly immediately. What if 4chan hadn't gotten a hold of it though? What if some scammers/spammers did? And used it for weeks? It would have been more subtle, and with YouTube's traffic, it could have been massively successful. Who knows what effect that could have had if this wasn't caught quickly. Did 4chan just do a good thing?

--
Canada: The US's more awesome sibling.
as usual, xkcd has this covered: by http · 2010-07-04 07:44 · Score: 2, Interesting

http://www.xkcd.org/481/

--
If opportunity came disguised as temptation, one knock would be enough.
3^2 * 67^1 * 977^1
Re:doesn't work anymore by christopherfinke · 2010-07-04 09:53 · Score: 4, Informative

I'm the author, and I uploaded a new version that works with the latest YouTube design a few days ago. It's just pending approval by Mozilla.
Re:Ha ha by Johnno74 · 2010-07-04 11:07 · Score: 4, Funny

Physical age doesn't necessarily correspond to mental age. Personally, I've been getting more immature as years pass.
"I have abandoned the quest for eternal youth and instead setttled for lifelong immaturity"
What I learned from this story by SmallFurryCreature · 2010-07-04 21:52 · Score: 3, Funny

What I learned from this story:
That goatse.cx is very old news and that there are whole new horrors I never even heard of.
Someone must be looking out for me.
You know you are living a blessed life when you got no idea what 1man1jar or lemon party is. Reminds me of being a little kid and having no idea what the adults were talking about. Only this time I know the value of ignorance.
Let me see. 1 man 1 jar, must be about a man collecting pennies to buy a gift for his mother.
Lemon party? Sweet lemonade for a hot summer day? Sounds fun.
2girls1cup? Two girls riding the magic cup at disney?
Please, don't correct me. Ignorance is bliss.

--

MMO Quests are like orgasms:
You may solo them, I prefer them in a group.