YouTube hit by cross-site scripting vulnerability

Rumours spread across the internet yesterday that YouTube had been hacked.

According to Chris Boyd, malware researcher at Sunbelt Software, a cross-site scripting (XSS) vulnerability allowed people to perform all manner of interesting things on video pages, starting with the ability to block fresh comments that soon moved into the realms of scrolling text.

Specifically hit was videos featuring Canadian teen singer Justin Bieber, however other random videos were also hit.

Rumours also spread across micro-blogging site Twitter, with its front page advising users not to ‘watch any YouTube videos or comment (on) them today, there's a virus! Spread!'

Boyd said: “Advising people to steer clear until the problem is fixed? That's good. Lots of people running around telling lots more people that there's a ‘virus'? That's not so good.

“Even hours after it's been fixed, people continue to talk about ‘getting infected' by a nonexistent virus and there's a lot of unscheduled scans now taking place.”

He commented that the Chinese Whispers-style misinformation clouding the actual attack was pretty interesting, and if the exploit had been discovered by a professional moneymaking outfit, there could have been all sorts of subtle attacks taking place for a long time – not good, given the apparent simplicity of the attack.

Speaking to techie-buzz.com, Jay Nancarrow a spokesman for YouTube's owner Google, said in a statement: “We took swift action to fix an XSS vulnerability on YouTube that was discovered several hours ago. Comments were temporarily hidden by default within an hour, and we released a complete fix for the issue in about two hours. We're continuing to study the vulnerability to help prevent similar issues in the future.”

See original article on scmagazineus.com