Forgot your password?
typodupeerror
Youtube Google Security News

YouTube Hit By HTML Injection Vulnerability 224

Posted by Soulskill
from the enjoy-the-holiday-google dept.
Virak writes "Several hours ago, someone found an HTML injection vulnerability in YouTube's comment system, and since then sites such as 4chan have had a field day with popular videos. The bug is triggered by placing a <script> tag at the beginning of a post. The tag itself is escaped, but everything following it is cheerfully placed in the page as is. Blacked out pages with giant red text scrolling across them, shock site redirects, and all sorts of other fun things have been spotted. YouTube has currently blocked such comments from being posted and set the comments section to be hidden by default, and appears to be in the process of removing some of these comments, but the underlying bug does not seem to have been fixed yet."
This discussion has been archived. No new comments can be posted.

YouTube Hit By HTML Injection Vulnerability

Comments Filter:
  • by ae1294 (1547521) on Sunday July 04, 2010 @12:39PM (#32792264) Journal

    All of your tubes are belonging to US now.

  • by Anonymous Coward on Sunday July 04, 2010 @12:40PM (#32792270)

    I went to youtube, but all I saw was crap material. Someone had injected a bunch of crap!

  • by Anonymous Coward on Sunday July 04, 2010 @12:44PM (#32792296)

    The evolution of this bug exploit was quite interesting to follow up close.

    At first it simply prevented any further comments to be posted.
    Then text was added.
    Then the text was scrolling.
    Suddenly, the entire page was blacked out except for the added text.

    And that's when the more technical minded people realized much much more was possible.
    Bam! Popups!
    Infinite popups that lead to browser crashes!
    Page redirects to shock sites!
    The most sophisticated version I saw actually replaced the Youtube video in-place with the 1man1jar video..

    And when the exploit was blocked in the comments, it had a small resurgence as video reply title, before being smacked down once more.

    Glorious.

    • by larry bagina (561269) on Sunday July 04, 2010 @01:32PM (#32792554) Journal
      Reminds me of the slashdot <a onhover=".."> bug. It was a while back (2000-2002 era?) but inline javascript wasn't filtered from a tags. The first exploit (that I saw, anyhow) simply used DHTML (as it was then known) to add (paraphrasing) "I can't believe this hasn't been fixed" to the post. (which took about 5 minutes given the speed of computers, javascript, and dom manipulation). About 30 seconds later, redirects to porn, last measure, etc appeared. Slashdot's initial response was to mod them down to -5 and then deleting them.
      • by hattig (47930)

        Hmm, I remember that, I remember embedded Freshmeat as an embedded iframe thing into a Slashdot post at the time...

        I don't think I could do that off the top of my head anymore. But my cooking skills have improved!

    • by wmbetts (1306001) on Sunday July 04, 2010 @01:37PM (#32792570)

      I'm really surprised it used for trolling rather than making money. That seems like a phishers wet dream.

    • by Anonymous Coward on Sunday July 04, 2010 @02:14PM (#32792758)

      I saw someone on /g/ claim to have pulled 300k+ youtube user cookies doing this. The bad thing is your YT account is usually tied to gmail now. Scary... glad I had noscript on.

  • An update (Score:5, Informative)

    by Virak (897071) on Sunday July 04, 2010 @12:44PM (#32792298) Homepage

    They actually got it fixed a bit after I submitted this story. A shame, lemonparty was a big step up from the usual level of discussion on YouTube videos. More seriously, I'm interested in finding out exactly what happened here. Hopefully Google will post some sort of explanation. YouTube is a massive site and it's somewhat bizarre seeing them make the sort of mistake you'd expect from something put together by a drooling moron with nothing but a "How to learn PHP in 24 hours!" book.

    • by Anonymous Coward on Sunday July 04, 2010 @12:54PM (#32792350)

      a "How to learn PHP in 24 hours!" book

      Does that mean:

      1. It teaches you, over the course of an unspecified period of time, how to learn PHP in 24 hours?
      2. It teaches you, over the course of 24 hours, how to learn PHP? or
      3. After 24 hours have elapsed, it teaches you how to learn PHP?

      Note that it doesn't actually teach you PHP. It just teaches you how to learn it.

      • by JamesP (688957)

        Actually, it teaches you PHP if you're on the cast of '24 hours'

      • Re: (Score:3, Funny)

        by maxwell demon (590494)

        No, it tells you how you learn the lesser-known language named "PHP in 24 hours" which differs from normal PHP in that the scripts always take 24 hours to run.

      • Re: (Score:3, Funny)

        by weicco (645927)

        I can't wait 24 hours! Got to get 12 hour book...

      • by roman_mir (125474)

        It does no such thing, that book talks about a guy I know, who is about to learn PHP. The guy's name is How, yes all my friends are like that.

      • Re: (Score:3, Funny)

        by CODiNE (27417)

        I've seen the book, option 3 is the correct answer.

        It's 1,440 pages of "Wait one minute, then turn the page" which sadly forces one into an inescapable loop for 24 hours. After one has starved, missed sleep and soiled oneself through this excruciating 24 hour period the last page says only this:

        Buy the book titled 'This book teaches you PHP'.

        I was thoroughly disappointed.

      • by tomhudson (43916)

        I'm in Canada - we're on METRIC time, you insensitive clod! 100 seconds per minute, 100 minutes per hour, 10 hours per day!

      • Re: (Score:2, Funny)

        by Anonymous Coward

        How many Lojbanists does it take to change a broken light bulb? ...

        Two: one to figure out what to change it into, and one to figure out what kind of bulb emits broken light.

    • If I had to guess, I think it's a variant of an attack [notmysock.org] I've seen before.

    • by mikael_j (106439)

      Yes, this does seem like the kind of bug I'd expect halfway competent dev to take into consideration when building a site. A very simple fix is to translate all < and > characters to the & lt; and & gt; versions instead, AFAIK youtube doesn't even allow HTML in comments anyway...

    • Re: (Score:2, Interesting)

      by MalHavoc (590724)
      I'd also be interested in knowing if this bug had been an issue for a long time. It seems like the sort of exploit that would have been very quickly discovered. I'm not a big YouTube comment reader, but I've noticed some interface/UI tweaks to the way comments can be thumbed up/down in recent weeks. Perhaps this crept in as a result of those.
    • We only just had a big debate over whether going to university makes you a better coder or not in the Zoho topic. http://news.slashdot.org/story/10/07/01/208222/Zoho-Dont-Need-No-Stinking-PhD-Programmers [slashdot.org]

      In there Google and their army of PhDs was mentioned as proof that a degree really matters.

      It appears even with a PhD you're still susceptible to making school boy errors. Zoho can make these sorts of errors for much less by hiring kids straight out of high school. :P
      • The fact that educated people make mistakes is not equivalent to whether uneducated people can make educated programming decisions.

        Outside of school, do you really think someone will pick up on the math and other concepts necessary to, for just one example, calculate the Big-O of a part of their program? Or understand why they should?
        • Outside of school, do you really think someone will pick up on the math and other concepts necessary to, for just one example, calculate the Big-O of a part of their program?

          Sure, why not? I found it to be O(1).
  • by Inf0phreak (627499) on Sunday July 04, 2010 @12:46PM (#32792310)
    wait for it... wait for it... And nothing of value was lost!
  • Really? (Score:2, Interesting)

    by Dremth (1440207)
    Wow. You'd think somebody would've figured out something like this a long time ago.
    • Re:Really? (Score:5, Insightful)

      by Scrameustache (459504) on Sunday July 04, 2010 @01:03PM (#32792382) Homepage Journal

      Wow. You'd think somebody would've figured out something like this a long time ago.

      But since merely gazing at youTube comments lowers your IQ by at least 20 points, I'm actually amazed someone found it. Must have used some of kind of proxy who looked at it, got dumber for it, but managed to pass along the code to someone who could look at it without being exposed to the dumb.

  • by Anonymous Coward on Sunday July 04, 2010 @12:52PM (#32792340)
    Lots of people anonymously "injecting" a bunch of crap into a website for all others to see.

    This exploit is just an alternative to the original "Upload Video" button.
  • by Anonymous Coward

    A lot of the comments are just troll BS. Most people log on for videos not to read the ramblings of basement dwelling trolls. I try to ignore them but they can be really obnoxious. I don't post on Youtube but I have had things pirated and posted just so they could make obnoxious comments. The work posted was just previs stuff that was just done for editing slugs but it was presented as finished work. It caused some trouble with a client so I got a lot more careful about letting development work out there. I

    • by grumbel (592662) <grumbel@gmx.de> on Sunday July 04, 2010 @01:18PM (#32792456) Homepage

      A lot of the comments are just troll BS.

      Yes, but I blame the comment system for that. A comment system that doesn't allow links, doesn't allow more then a handful of characters, is a complete usability nightmare when you want to browse more then the last ten comments, doesn't allow search and doesn't support threads or replies properly is just useless when you actually want to write something insightful. A comment system should encourage informative posts, not make them impossible like the Youtube system does.

      The latest changes that the highest rated comments and comments from the video upload appear on top have helped a bit to cleanup the mess, but its still far away from being a comment system where people actually can have a meaningful discussion.

      • Re: (Score:2, Interesting)

        by Thantik (1207112)

        On top of that they need to implement some sort of penalty system for people who regularly post things that are downvoted. If out of 10 posts, the amount of downvotes you've gotten is higher than 80% then implement a week long "cool-off" period in which it resets to 0

      • by Lije Baley (88936)

        Yes, if only they had a more sophisticated comment system, then the level of discourse would be closer to that of Slashdot or /b/.

    • Re: (Score:3, Informative)

      Really? You put client-facing work on YouTube? Ouch.

      If you don't want to spare the bandwidth on your own site (how much data are you pushing, anyway?) then try Vimeo. Cleaner, better optimization, has private (need a password) channels, offers a "pro" service where you get unlimited uploads, etc.

      It's mainly used by video artists, tech demos, etc.
  • I wonder how many times this vulnerability was used to deliver malware.

  • by DRJR (1842278) on Sunday July 04, 2010 @01:25PM (#32792500) Homepage

    I find it interesting pondering the how and why these things fail-- the insight into how the code must have been put together to fail on a particular input.

    My initial guess for this one would be that they escape html and scripts separately-- scripts do not need greater than, less than, and ampersand escaped-- and that detecting the keyword 'script' switched modes from html to script. The fact that the first script tag is properly html-escaped suggests that while it was properly detected, the code to switch between html and script modes did not take this detection into account and switched anyway. I'm going to further guess that this do to some support code meant for the programmers' side inadvertently managed to cross over into user land.

    My two cents.
    --Dave Romig, Jr.

    • by mwvdlee (775178)

      Why would they have a distinction between a HTML and a script mode on comments? Is there any reason you'd ever want a comment to contain a script?

      • by linguizic (806996)
        Exactly, why not just escape the whole thing? Or if you're even more paranoid, why not just strip the script tags and everything in between? That being said, the fact that this exploit exists in the first place shows that they're not doing either one of those things.
    • Nice, long and contrived explanation.

      Much more likely they forgot to set the correct parameter to have ALL the occurrence replaced instead of the left-most longest occurrence.
      (for example, they forgot to put a "g" after the RegExp)

  • by mwvdlee (775178) on Sunday July 04, 2010 @01:38PM (#32792580) Homepage

    If they didn't redirect ALL videos to a Rick Astley video, they have missed the opportunity of a lifetime.

  • by dswensen (252552) on Sunday July 04, 2010 @01:43PM (#32792610) Homepage

    Comments turned off by default? Great! Any chance they can make that permanent?

    • Re: (Score:3, Insightful)

      The comments never bothered me. I simply don't read them.

    • by Wingnut64 (446382) on Sunday July 04, 2010 @02:33PM (#32792846)

      Any chance they can make that permanent?

      Use Addblock Plus and add the following element hiding rules:

      ##div#watch-discussion
      ##div.watch-comment-entry

  • by twidarkling (1537077) on Sunday July 04, 2010 @02:44PM (#32792916)

    Since this was turned in to a massive, YouTube-wide trolling effort, it's being fixed nearly immediately. What if 4chan hadn't gotten a hold of it though? What if some scammers/spammers did? And used it for weeks? It would have been more subtle, and with YouTube's traffic, it could have been massively successful. Who knows what effect that could have had if this wasn't caught quickly. Did 4chan just do a good thing?

    • "What if 4chan hadn't gotten a hold of it though? What if some scammers/spammers did?"

      What tells you they didn't?

    • by mxs (42717)

      You assume, of course, that this bug is recent, 4chan was the first to discover it, and that there hasn't been any subtile, massively successful abuse for weeks.

  • How much of this kind of problem is caused by the standard behavior of browsers to make a 'best guess' at interpreting 'bad' HTML, since the parsing rules are very lax compared to XML?

    Should unmatched tags cause the browser to stop and say 'Parsing Error, Invalid HTML'? (or whatever user-friendly message the browser author writes)

    'cause I could totally imagine someone, somewhere writing a browser that sees '&lt's and auto-re-encodes them, then does it's tag parsing.

    Back around 1998 I worked for a compan

    • The first bug I found was that a new user could insert script tags in their username (any field, really), my employers response was "Why would anyone want to hack a website?"... I wouldn't drop the issue, so they dropped me.

      Did you then DROP their tables?

  • Get inspired from places with mature attitudes on drug abuse; those with safe injecting sites.

    Youtube feels like a drug to me at times...I'd elaborate on this viewpoint but a vid of a cat and a dog chasing their own tails at the same time interests me more.

  • It's only bad design / coding / development - who cares! It happens all the time and will happen as long as the subpar designs / development / coding is allowed. Mostly I would blame the design of these systems - it's very difficult to (safely) implement anything which is already broken, as most of the systems today! Or - if you don't agree, list the systems that haven't been broken one time or other? Or - which will not be broken in future?

    Seriously - after fighting long enough years for safe and secure de

  • by SmallFurryCreature (593017) on Monday July 05, 2010 @05:52AM (#32797754) Journal

    What I learned from this story:

    That goatse.cx is very old news and that there are whole new horrors I never even heard of.

    Someone must be looking out for me.

    You know you are living a blessed life when you got no idea what 1man1jar or lemon party is. Reminds me of being a little kid and having no idea what the adults were talking about. Only this time I know the value of ignorance.

    Let me see. 1 man 1 jar, must be about a man collecting pennies to buy a gift for his mother.

    Lemon party? Sweet lemonade for a hot summer day? Sounds fun.

    2girls1cup? Two girls riding the magic cup at disney?

    Please, don't correct me. Ignorance is bliss.

Somebody ought to cross ball point pens with coat hangers so that the pens will multiply instead of disappear.

Working...