YouTube Hit By HTML Injection Vulnerability 224
Virak writes "Several hours ago, someone found an HTML injection vulnerability in YouTube's comment system, and since then sites such as 4chan have had a field day with popular videos. The bug is triggered by placing a <script> tag at the beginning of a post. The tag itself is escaped, but everything following it is cheerfully placed in the page as is. Blacked out pages with giant red text scrolling across them, shock site redirects, and all sorts of other fun things have been spotted. YouTube has currently blocked such comments from being posted and set the comments section to be hidden by default, and appears to be in the process of removing some of these comments, but the underlying bug does not seem to have been fixed yet."
Evolution of an exploit (Score:5, Informative)
The evolution of this bug exploit was quite interesting to follow up close.
At first it simply prevented any further comments to be posted.
Then text was added.
Then the text was scrolling.
Suddenly, the entire page was blacked out except for the added text.
And that's when the more technical minded people realized much much more was possible.
Bam! Popups!
Infinite popups that lead to browser crashes!
Page redirects to shock sites!
The most sophisticated version I saw actually replaced the Youtube video in-place with the 1man1jar video..
And when the exploit was blocked in the comments, it had a small resurgence as video reply title, before being smacked down once more.
Glorious.
An update (Score:5, Informative)
They actually got it fixed a bit after I submitted this story. A shame, lemonparty was a big step up from the usual level of discussion on YouTube videos. More seriously, I'm interested in finding out exactly what happened here. Hopefully Google will post some sort of explanation. YouTube is a massive site and it's somewhat bizarre seeing them make the sort of mistake you'd expect from something put together by a drooling moron with nothing but a "How to learn PHP in 24 hours!" book.
Re:Someone needs to lose their job over this (Score:5, Informative)
This isn't a simple mistake, it's a sign of pure incompetence since the developer put no forethought into the uses of the tool he was developing and blindly trusted user input from a textarea. User input is dirty, dirty dirty and any developer who does not clean and sanitize it before consuming it is not doing his/her job.
The summary states that the first script tag was escaped as it should be. It was a bug, not a lack of foresight.
... if you want to keep it (Score:5, Informative)
Get the YouTube Comment Snob [mozilla.org] addon for Firefox.
YouTube Comment Snob filters out undesirable comments from YouTube comment threads. You can choose to have any of the following rules mark a comment for removal:
* More than # spelling mistakes: The number of mistakes is customizable, and the extension uses Firefox's built-in spell checker.
* All capital letters
* No capital letters
* Doesn't start with a capital letter
* Excessive punctuation (!!!! ????)
* Excessive capitalization
* Profanity
Re:Series of tubes... (Score:2, Informative)
Don't you mean...
"Somebody script up us the bomb"
Re:Ha ha (Score:2, Informative)
From what I've seen, there were not only simple insults and racist annoyances, but numerous redirects to the hardest shock site you've probably ever seen. That video makes 2girls1cup, benzin.avi and even the hardest war-porn look like family-friendly softcore entertainment in comparison. It has something to do with 1 man and 1 jar and I dare you to Google that if you have doubt this is emotionally scarring material.
Re:Is it Christmas already? (Score:5, Informative)
Any chance they can make that permanent?
Use Addblock Plus and add the following element hiding rules:
##div#watch-discussion
##div.watch-comment-entry
Re:Why natural language needs grouping symbols (Score:1, Informative)
That's DECIMAL time, not metric time.
SI units only define second, so there is 1 second, 1 kilo-second, 1 mega-second, 1 giga-second, etc...
http://en.wikipedia.org/wiki/Decimal_time
http://en.wikipedia.org/wiki/Metric_time
If you look in the first link, you'll notice that 1 decimal-second = 0.864s
Re:I'd love to see the Comments removed period (Score:3, Informative)
If you don't want to spare the bandwidth on your own site (how much data are you pushing, anyway?) then try Vimeo. Cleaner, better optimization, has private (need a password) channels, offers a "pro" service where you get unlimited uploads, etc.
It's mainly used by video artists, tech demos, etc.
Re:doesn't work anymore (Score:5, Informative)
I'm the author, and I uploaded a new version that works with the latest YouTube design a few days ago. It's just pending approval by Mozilla.