Follow Slashdot stories on Twitter


Forgot your password?
Youtube Google Security News

YouTube Hit By HTML Injection Vulnerability 224

Posted by Soulskill
from the enjoy-the-holiday-google dept.
Virak writes "Several hours ago, someone found an HTML injection vulnerability in YouTube's comment system, and since then sites such as 4chan have had a field day with popular videos. The bug is triggered by placing a <script> tag at the beginning of a post. The tag itself is escaped, but everything following it is cheerfully placed in the page as is. Blacked out pages with giant red text scrolling across them, shock site redirects, and all sorts of other fun things have been spotted. YouTube has currently blocked such comments from being posted and set the comments section to be hidden by default, and appears to be in the process of removing some of these comments, but the underlying bug does not seem to have been fixed yet."
This discussion has been archived. No new comments can be posted.

YouTube Hit By HTML Injection Vulnerability

Comments Filter:
  • by Anonymous Coward on Sunday July 04, 2010 @12:44PM (#32792296)

    The evolution of this bug exploit was quite interesting to follow up close.

    At first it simply prevented any further comments to be posted.
    Then text was added.
    Then the text was scrolling.
    Suddenly, the entire page was blacked out except for the added text.

    And that's when the more technical minded people realized much much more was possible.
    Bam! Popups!
    Infinite popups that lead to browser crashes!
    Page redirects to shock sites!
    The most sophisticated version I saw actually replaced the Youtube video in-place with the 1man1jar video..

    And when the exploit was blocked in the comments, it had a small resurgence as video reply title, before being smacked down once more.


  • An update (Score:5, Informative)

    by Virak (897071) on Sunday July 04, 2010 @12:44PM (#32792298) Homepage

    They actually got it fixed a bit after I submitted this story. A shame, lemonparty was a big step up from the usual level of discussion on YouTube videos. More seriously, I'm interested in finding out exactly what happened here. Hopefully Google will post some sort of explanation. YouTube is a massive site and it's somewhat bizarre seeing them make the sort of mistake you'd expect from something put together by a drooling moron with nothing but a "How to learn PHP in 24 hours!" book.

  • by Krahar (1655029) on Sunday July 04, 2010 @01:23PM (#32792486)

    This isn't a simple mistake, it's a sign of pure incompetence since the developer put no forethought into the uses of the tool he was developing and blindly trusted user input from a textarea. User input is dirty, dirty dirty and any developer who does not clean and sanitize it before consuming it is not doing his/her job.

    The summary states that the first script tag was escaped as it should be. It was a bug, not a lack of foresight.

  • by xororand (860319) on Sunday July 04, 2010 @01:28PM (#32792520)

    Get the YouTube Comment Snob [] addon for Firefox.

    YouTube Comment Snob filters out undesirable comments from YouTube comment threads. You can choose to have any of the following rules mark a comment for removal:

    * More than # spelling mistakes: The number of mistakes is customizable, and the extension uses Firefox's built-in spell checker.
    * All capital letters
    * No capital letters
    * Doesn't start with a capital letter
    * Excessive punctuation (!!!! ????)
    * Excessive capitalization
    * Profanity

  • by Stalks (802193) * on Sunday July 04, 2010 @01:37PM (#32792578)

    Don't you mean...

    "Somebody script up us the bomb"

  • Re:Ha ha (Score:2, Informative)

    by Anonymous Coward on Sunday July 04, 2010 @02:06PM (#32792714)

    From what I've seen, there were not only simple insults and racist annoyances, but numerous redirects to the hardest shock site you've probably ever seen. That video makes 2girls1cup, benzin.avi and even the hardest war-porn look like family-friendly softcore entertainment in comparison. It has something to do with 1 man and 1 jar and I dare you to Google that if you have doubt this is emotionally scarring material.

  • by Wingnut64 (446382) on Sunday July 04, 2010 @02:33PM (#32792846)

    Any chance they can make that permanent?

    Use Addblock Plus and add the following element hiding rules:


  • by Anonymous Coward on Sunday July 04, 2010 @03:33PM (#32793230)

    That's DECIMAL time, not metric time.

    SI units only define second, so there is 1 second, 1 kilo-second, 1 mega-second, 1 giga-second, etc...

    If you look in the first link, you'll notice that 1 decimal-second = 0.864s

  • by Dr Herbert West (1357769) on Sunday July 04, 2010 @04:22PM (#32793588)
    Really? You put client-facing work on YouTube? Ouch.

    If you don't want to spare the bandwidth on your own site (how much data are you pushing, anyway?) then try Vimeo. Cleaner, better optimization, has private (need a password) channels, offers a "pro" service where you get unlimited uploads, etc.

    It's mainly used by video artists, tech demos, etc.
  • by christopherfinke (608750) <> on Sunday July 04, 2010 @05:53PM (#32794070) Homepage Journal

    I'm the author, and I uploaded a new version that works with the latest YouTube design a few days ago. It's just pending approval by Mozilla.

The solution of this problem is trivial and is left as an exercise for the reader.