In association with heise online

05 July 2010, 13:00

Google fixes cross-site scripting vulnerability in YouTube comments

  • Twitter
  • Facebook
  • submit to slashdot
  • StumbleUpon
  • submit to reddit

YouTube Logo Over the weekend, unknown perpetrators added comments containing HTML code to a number of videos on YouTube. The HTML code was then executed in visitors' browsers. According to several US media reports, videos by young singer Justin Bieber in particular were targeted by the attacks.

According to one report, the comments caused pop-ups containing insulting messages to open and also opened additional (adult) web pages. It's not clear whether these web pages also led to malware-infected web sites and infected users' PCs. Some German bloggers also fell victim (German language link) to the XSS attacks, with unknown perpetrators placing moving text across the screen using the marquee HTML tag.

In principle, attackers could also have used the cross-site scripting vulnerability to steal authentication cookies, allowing them to log onto YouTube under false pretences. Although YouTube is owned by Google, the exploit did not allow access to Google accounts. Google initially deactivated comments over the weekend and has now fixed the vulnerability. However, comments remain disabled for some of the affected videos. It's still unclear how long the vulnerability has been present. Google is looking into the problem to ensure it does not happen again.

Web site operators usually deploy mechanisms to try to prevent users from embedding active content such as JavaScript in profiles, comments, descriptions and other information. Twitter was also recently forced to fix an XSS vulnerability triggered when assessing which Twitter client is being used. Code embedded in a client's agent string could be executed in a follower's browser.


Print Version | Send by email | Permalink:

  • July's Community Calendar

The H Open

The H Security

The H Developer

The H Internet Toolkit