Google fixes cross-site scripting vulnerability in YouTube comments
Over the weekend, unknown perpetrators added comments containing HTML code to a number of videos on YouTube. The HTML code was then executed in visitors' browsers. According to several US media reports, videos by young singer Justin Bieber in particular were targeted by the attacks.
According to one report, the comments caused pop-ups containing insulting messages to open and also opened additional (adult) web pages. It's not clear whether these web pages also led to malware-infected web sites and infected users' PCs. Some German bloggers also fell victim (German language link) to the XSS attacks, with unknown perpetrators placing moving text across the screen using the marquee HTML tag.
In principle, attackers could also have used the cross-site scripting vulnerability to steal authentication cookies, allowing them to log onto YouTube under false pretences. Although YouTube is owned by Google, the exploit did not allow access to Google accounts. Google initially deactivated comments over the weekend and has now fixed the vulnerability. However, comments remain disabled for some of the affected videos. It's still unclear how long the vulnerability has been present. Google is looking into the problem to ensure it does not happen again.