Eager YouTube fans were greeted with annoying pop-ups, disabled comments, and even porn redirects over Independence Day weekend as they tried to scope out their favorite videos. A group of malicious pranksters (believed to be from 4chan) was able to take advantage of an cross-site scripting vulnerability in YouTube’s comments Sunday, breaking as many video pages as possible before Google stepped in with a fix.
YouTube heavily restricts the use of HTML in the comments for videos, and with good reason. Left to their own devices, users could (purposefully or accidentally) redirect others to sites with malware or porn. YouTube employed a filter to ensure any HTML used in the comments was properly sanitized, but there was a flaw that allowed the 4chan crowd to get past the block with their own scripts.
That turned out to be as simple as using two script tags in a row (<script><script>fun scripting stuff goes here!), as noted by F-Secure researcher Mikko H. Hypponen on Twitter—the first of the two tags would get stripped, and the second was allowed through.
Chaos broke loose. Some observers said that Justin Beiber videos were the most heavily targeted, though if you peruse a help thread on YouTube’s forums about the issue, it seems as if the malicious scripts spread across all types of video pages on the site.
YouTube confirmed the incident in a statement sent to IDG, saying that comments were temporarily hidden within an hour and a fix was issued within two hours. “We’re continuing to study the vulnerability to help prevent similar issues in the future,” the Google spokesperson said. Google did not respond to our request for more details about what was fixed by publication time, but it’s likely that the company simply went through its comment system to strip out double script tags and added tighter controls to its HTML filter.
The incident reminds us that it’s not always a great idea to give users free reign over their own scripting code. Security researchers have been saying for years that social websites are a breeding ground for phishers and malware writers, due in large part to the sites’ willingness to let users post all manner of malformed updates or messages. That’s why YouTube had such a restriction in the first place, but it obviously wasn’t restricted enough.
Related Posts: On this day...
- Casey Anthony is/was hot - 2011
- Official "This website seized by feds" graphic - 2010
- World Cup trophy replica made of cocaine seized in Colombia - 2010
- 4chan prank means Justin Bieber must tour North Korea - 2010
- YouTube Uploads Doubled to 2GB, HD Embeds, and Linking Added - 2009
- Weather Channel: No more smooth jazz - 2009
- Tim O'Reilly: Kindle needs to embrace standards or die - 2009
- Facebook Advertising Coupons - 2008