YouTube XSS Vulnerability Fixed [Official Statement]

YouTube-Vulnerability Earlier today, a critical cross-site scripting (XSS) vulnerability was uncovered in YouTube. It now appears that the source of these attacks was Ebaumsworld, with 4Chan later chipping in to propagate it. Of course, both sides are accusing the other of the wrong doing.

Google swung into action fairly quickly, and the vulnerability has now been fixed. Jay Nancarrow, a spokesman for Google, reached out to us to issue the following statement:

We took swift action to fix a cross-site scripting (XSS) vulnerability on that was discovered several hours ago. Comments were temporarily hidden by default within an hour, and we released a complete fix for the issue in about two hours. We’re continuing to study the vulnerability to help prevent similar issues in the future.

In spite of Google’s swift response, the script kiddies managed to cause a fair amount of annoyance. A large selection of popular YouTube videos, especially Justin Bieber videos, were flooded with malicious comments. Fortunately for us, while obnoxious, most of these scripts did little damage other than irritating viewers.

Published by

Pallab De

Pallab De is a blogger from India who has a soft spot for anything techie. He loves trying out new software and spends most of his day breaking and fixing his PC. Pallab loves participating in the social web; he has been active in technology forums since he was a teenager and is an active user of both twitter (@indyan) and facebook .

  • Pingback: Vulnerabilidad XSS en Youtube (solucionado) | Shadow Security()

  • Pingback: Cross-site scripting on YouTube | SecTechno()

  • The good thing is that the “malicious” content was not really that malicious. It was an important reminder that Internet security should be taken seriously and I don’t think any real harm has actually been done. Although we might not know yet what data leaked out to third party sites through the XSS.

    iTunes, on the other hand, suffered a major identity theft incident and all they said was that their customers should change their passwords and credit card numbers. Which is otherwise a very simple thing to do, isn’t it? And it is also very kind, particularly if you just lost hundreds of dollars on fake purchases.

    The only thing that bugs me is how difficult it is to program a solid rich website with plenty of active content. There are so many things to keep in mind that without a great and vigilant team working for you, you are having a hard time keeping it safe.

  • Pingback: Dangerous XSS Bug found on YouTube | GTSoft News()