YouTube Hit By HTML Injection Vulnerability 224
Virak writes "Several hours ago, someone found an HTML injection vulnerability in YouTube's comment system, and since then sites such as 4chan have had a field day with popular videos. The bug is triggered by placing a <script> tag at the beginning of a post. The tag itself is escaped, but everything following it is cheerfully placed in the page as is. Blacked out pages with giant red text scrolling across them, shock site redirects, and all sorts of other fun things have been spotted. YouTube has currently blocked such comments from being posted and set the comments section to be hidden by default, and appears to be in the process of removing some of these comments, but the underlying bug does not seem to have been fixed yet."
htmlspecialchars() (Score:1, Interesting)
Problem solved?
Really? (Score:2, Interesting)
I'd love to see the Comments removed period (Score:2, Interesting)
A lot of the comments are just troll BS. Most people log on for videos not to read the ramblings of basement dwelling trolls. I try to ignore them but they can be really obnoxious. I don't post on Youtube but I have had things pirated and posted just so they could make obnoxious comments. The work posted was just previs stuff that was just done for editing slugs but it was presented as finished work. It caused some trouble with a client so I got a lot more careful about letting development work out there. It's just sad a handful have to spoil things for everyone else. I used to post a lot of development work on my web site but I stopped completely. Trolls are like the people that talk and answer phone calls and take infants to movies. They really spoil the experience for the rest of us. I say if the comments can't be a constructive outlet then remove them and get rid of that security hole completely. The other option for security would be removing the HTML and go pure text. It's nice having HTML input but you don't really need the formatting for comments and it's always going to be a source of potential holes.
Re:htmlspecialchars() (Score:1, Interesting)
I think you can count the lines of PHP in the Youtube codebase on zero hands, but yes, that would be the gist of it.
Proper escaping isn't that hard, so this sounds like a poorly thought-out anti-injection measure accidentally circumvented the usual escaping. Generic blacklist-based XSS filters are pretty much useless, there's just too many ways to get a browser to execute some code, even without the general potential for fucking up your site.
Re:I'd love to see the Comments removed period (Score:5, Interesting)
A lot of the comments are just troll BS.
Yes, but I blame the comment system for that. A comment system that doesn't allow links, doesn't allow more then a handful of characters, is a complete usability nightmare when you want to browse more then the last ten comments, doesn't allow search and doesn't support threads or replies properly is just useless when you actually want to write something insightful. A comment system should encourage informative posts, not make them impossible like the Youtube system does.
The latest changes that the highest rated comments and comments from the video upload appear on top have helped a bit to cleanup the mess, but its still far away from being a comment system where people actually can have a meaningful discussion.
Interest pondering the how and why of such fails (Score:3, Interesting)
I find it interesting pondering the how and why these things fail-- the insight into how the code must have been put together to fail on a particular input.
My initial guess for this one would be that they escape html and scripts separately-- scripts do not need greater than, less than, and ampersand escaped-- and that detecting the keyword 'script' switched modes from html to script. The fact that the first script tag is properly html-escaped suggests that while it was properly detected, the code to switch between html and script modes did not take this detection into account and switched anyway. I'm going to further guess that this do to some support code meant for the programmers' side inadvertently managed to cross over into user land.
My two cents.
--Dave Romig, Jr.
Re:Evolution of an exploit (Score:5, Interesting)
Is it Christmas already? (Score:5, Interesting)
Comments turned off by default? Great! Any chance they can make that permanent?
Re:Evolution of an exploit (Score:4, Interesting)
I saw someone on /g/ claim to have pulled 300k+ youtube user cookies doing this. The bad thing is your YT account is usually tied to gmail now. Scary... glad I had noscript on.
Trolling as a method to expidite bug fixes? (Score:5, Interesting)
Since this was turned in to a massive, YouTube-wide trolling effort, it's being fixed nearly immediately. What if 4chan hadn't gotten a hold of it though? What if some scammers/spammers did? And used it for weeks? It would have been more subtle, and with YouTube's traffic, it could have been massively successful. Who knows what effect that could have had if this wasn't caught quickly. Did 4chan just do a good thing?
Re:Trolling as a method to expidite bug fixes? (Score:1, Interesting)
For some reason, you're assuming it wasn't used by scammers, and that it wasn't known for more than a few hours.
as usual, xkcd has this covered: (Score:3, Interesting)
Re:I'd love to see the Comments removed period (Score:2, Interesting)
On top of that they need to implement some sort of penalty system for people who regularly post things that are downvoted. If out of 10 posts, the amount of downvotes you've gotten is higher than 80% then implement a week long "cool-off" period in which it resets to 0
Re:An update (Score:2, Interesting)
Re:Trolling as a method to expidite bug fixes? (Score:1, Interesting)
Probably. I know some people on 4chan /g/ though, hours before this hit slashdot, were bragging about getting people's youtube/gmail session cookies via an XSS attack through this exploit, then logging into their gmail accounts, looking for other account information to figure out the gmail password, as most people use the same password for everything (it's not so simple to simply reset the gmail password, as you need to re-enter in the current password again, having just the session cookie isn't enough). I'm sure a sizable portion of people had their email accounts hijacked.
Who knows how long that has been going on.