It appears that YouTube is vulnerable to XSS (cross-site scripting) attacks. Details are scarce since this is a breaking story. However, according to preliminary information available with us, it is possible to hijack cookies to gain access to a logged-in user’s Gmail and YouTube accounts.
Spread the word to your friends and family members and help them stay protected. We will update you as soon as we learn more.
Update 1: TheNextWeb is reporting that Justin Bieber videos are being targeted in a big way.
Update 2: YouTube has now blocked all scripts from comments. However, video titles are also vulnerable and video responses are now being used to exploit the vulnerability.
Update 3: Google has issued an official statement.