Slashdot Mirror

← Back to Stories (view on slashdot.org)

YouTube Hit By HTML Injection Vulnerability

Posted by Soulskill on from the enjoy-the-holiday-google dept.

Virak writes "Several hours ago, someone found an HTML injection vulnerability in YouTube's comment system, and since then sites such as 4chan have had a field day with popular videos. The bug is triggered by placing a <script> tag at the beginning of a post. The tag itself is escaped, but everything following it is cheerfully placed in the page as is. Blacked out pages with giant red text scrolling across them, shock site redirects, and all sorts of other fun things have been spotted. YouTube has currently blocked such comments from being posted and set the comments section to be hidden by default, and appears to be in the process of removing some of these comments, but the underlying bug does not seem to have been fixed yet."

15 of 224 comments (clear)

  1. Series of tubes... by ae1294 · · Score: 5, Funny

    All of your tubes are belonging to US now.

    1. Re:Series of tubes... by KevMar · · Score: 5, Funny

      Somebody set up us the script bomb

      --
      Im a gamer, not a grammer major. This post is full of spelling and grammer mistakes.
    2. Re:Series of tubes... by daremonai · · Score: 5, Funny

      That was actually two words ... Oh no, now we owe you overtime. Sneaky.

  2. I experienced this! by Anonymous Coward · · Score: 5, Funny

    I went to youtube, but all I saw was crap material. Someone had injected a bunch of crap!

  3. Evolution of an exploit by Anonymous Coward · · Score: 5, Informative

    The evolution of this bug exploit was quite interesting to follow up close.

    At first it simply prevented any further comments to be posted.
    Then text was added.
    Then the text was scrolling.
    Suddenly, the entire page was blacked out except for the added text.

    And that's when the more technical minded people realized much much more was possible.
    Bam! Popups!
    Infinite popups that lead to browser crashes!
    Page redirects to shock sites!
    The most sophisticated version I saw actually replaced the Youtube video in-place with the 1man1jar video..

    And when the exploit was blocked in the comments, it had a small resurgence as video reply title, before being smacked down once more.

    Glorious.

    1. Re:Evolution of an exploit by larry+bagina · · Score: 5, Interesting

      Reminds me of the slashdot <a onhover=".."> bug. It was a while back (2000-2002 era?) but inline javascript wasn't filtered from a tags. The first exploit (that I saw, anyhow) simply used DHTML (as it was then known) to add (paraphrasing) "I can't believe this hasn't been fixed" to the post. (which took about 5 minutes given the speed of computers, javascript, and dom manipulation). About 30 seconds later, redirects to porn, last measure, etc appeared. Slashdot's initial response was to mod them down to -5 and then deleting them.

      --
      Do you even lift?

      These aren't the 'roids you're looking for.

  4. An update by Virak · · Score: 5, Informative

    They actually got it fixed a bit after I submitted this story. A shame, lemonparty was a big step up from the usual level of discussion on YouTube videos. More seriously, I'm interested in finding out exactly what happened here. Hopefully Google will post some sort of explanation. YouTube is a massive site and it's somewhat bizarre seeing them make the sort of mistake you'd expect from something put together by a drooling moron with nothing but a "How to learn PHP in 24 hours!" book.

  5. Re:Ha ha by bsDaemon · · Score: 5, Funny

    Based on the typical YouTube comment (or video, for that matter), I already hard sort of expected that to be the case.

  6. They hid all comments... by Inf0phreak · · Score: 5, Insightful

    wait for it... wait for it... And nothing of value was lost!

    --
    ________
    Entranced by anime since late summer 2001 and loving it ^_^
  7. The very definition of Youtube by Anonymous Coward · · Score: 5, Funny

    Lots of people anonymously "injecting" a bunch of crap into a website for all others to see.

    This exploit is just an alternative to the original "Upload Video" button.

  8. Why natural language needs grouping symbols by Anonymous Coward · · Score: 5, Funny

    a "How to learn PHP in 24 hours!" book

    Does that mean:

    1. It teaches you, over the course of an unspecified period of time, how to learn PHP in 24 hours?
    2. It teaches you, over the course of 24 hours, how to learn PHP? or
    3. After 24 hours have elapsed, it teaches you how to learn PHP?

    Note that it doesn't actually teach you PHP. It just teaches you how to learn it.

    1. Re:Why natural language needs grouping symbols by osu-neko · · Score: 5, Funny

      No, it tells you how you learn the lesser-known language named "PHP in 24 hours" which differs from normal PHP in that the scripts always take 24 hours to run.

      An optimized version, then? ;)

      --
      "Convictions are more dangerous enemies of truth than lies."
  9. Re:Someone needs to lose their job over this by Krahar · · Score: 5, Informative

    This isn't a simple mistake, it's a sign of pure incompetence since the developer put no forethought into the uses of the tool he was developing and blindly trusted user input from a textarea. User input is dirty, dirty dirty and any developer who does not clean and sanitize it before consuming it is not doing his/her job.

    The summary states that the first script tag was escaped as it should be. It was a bug, not a lack of foresight.

  10. Massive rickroll? by mwvdlee · · Score: 5, Funny

    If they didn't redirect ALL videos to a Rick Astley video, they have missed the opportunity of a lifetime.

    --
    Slashdot social media options: AIM, ICQ, Yahoo, Jabber and Mobile Text. Why no MySpace?
  11. Trolling as a method to expidite bug fixes? by twidarkling · · Score: 5, Interesting

    Since this was turned in to a massive, YouTube-wide trolling effort, it's being fixed nearly immediately. What if 4chan hadn't gotten a hold of it though? What if some scammers/spammers did? And used it for weeks? It would have been more subtle, and with YouTube's traffic, it could have been massively successful. Who knows what effect that could have had if this wasn't caught quickly. Did 4chan just do a good thing?

    --
    Canada: The US's more awesome sibling.