YouTube XSS Vulnerability Fixed [Official Statement]
Earlier today, a critical cross-site scripting (XSS) vulnerability was uncovered in YouTube. It now appears that the source of these attacks was Ebaumsworld, with 4Chan later chipping in to propagate it. Of course, both sides are accusing the other of the wrong doing.
Google swung into action fairly quickly, and the vulnerability has now been fixed. Jay Nancarrow, a spokesman for Google, reached out to us to issue the following statement:
We took swift action to fix a cross-site scripting (XSS) vulnerability on youtube.com that was discovered several hours ago. Comments were temporarily hidden by default within an hour, and we released a complete fix for the issue in about two hours. We’re continuing to study the vulnerability to help prevent similar issues in the future.
In spite of Google’s swift response, the script kiddies managed to cause a fair amount of annoyance. A large selection of popular YouTube videos, especially Justin Bieber videos, were flooded with malicious comments. Fortunately for us, while obnoxious, most of these scripts did little damage other than irritating viewers.
Related Topics Similar to This Article: »
Recent Activity: »
Author: Pallab De
Pallab De is a blogger from India who has a soft spot for anything techie. He loves trying out new software and spends most of his day breaking and fixing his PC. Pallab loves participating in the social web; he has been active in technology forums since he was a teenager and is an active user of both twitter (@indyan) and facebook .Pallab De has written 913 articles for us.
The author of this post can be contacted at pallab@techie-buzz.comComment Using Facebook
4 Responses to this Article | Share your Opinions/Comments
We moderate comments to prevent spam. Moderation is done within few hours. Please try and stay on topic and refrain from using abusive language. If you think there is a problem with this post, please email the post author or send us an email at tips@techie-buzz.com with the URL and the problem you see and we will rectify it as soon as we can.
The good thing is that the “malicious” content was not really that malicious. It was an important reminder that Internet security should be taken seriously and I don’t think any real harm has actually been done. Although we might not know yet what data leaked out to third party sites through the XSS.
iTunes, on the other hand, suffered a major identity theft incident and all they said was that their customers should change their passwords and credit card numbers. Which is otherwise a very simple thing to do, isn’t it? And it is also very kind, particularly if you just lost hundreds of dollars on fake purchases.
The only thing that bugs me is how difficult it is to program a solid rich website with plenty of active content. There are so many things to keep in mind that without a great and vigilant team working for you, you are having a hard time keeping it safe.