Warning: Highly Critical XSS Vulnerability Discovered in YouTube
By on July 4th, 2010

YouTube-VulnerabilityIt appears that YouTube is vulnerable to XSS (cross-site scripting) attacks. Details are scarce since this is a breaking story. However, according to preliminary information available with us, it is possible to hijack cookies to gain access to a logged-in user’s Gmail and YouTube accounts.

Although, it’s unclear who discovered this vulnerability, 4Chan users are already trying to actively exploit it. The exploit makes use of PHP, JavaScript, and XSS, and is being spread through comments on videos. Any logged in user who has browsed to an infected page is vulnerable. The best solution is to completely log out of YouTube until this issue has been fixed. If you are worried that you have viewed an infected video, delete all your cookies.

Spread the word to your friends and family members and help them stay protected. We will update you as soon as we learn more.

Update 1: TheNextWeb is reporting that Justin Bieber videos are being targeted in a big way.

Update 2: YouTube has now blocked all scripts from comments. However, video titles are also vulnerable and video responses are now being used to exploit the vulnerability.

Update 3: Google has issued an official statement.

Tags: , , ,
Author: Pallab De Google Profile for Pallab De
Pallab De is a blogger from India who has a soft spot for anything techie. He loves trying out new software and spends most of his day breaking and fixing his PC. Pallab loves participating in the social web; he has been active in technology forums since he was a teenager and is an active user of both twitter (@indyan) and facebook .

Pallab De has written and can be contacted at pallab@techie-buzz.com.
  • Daniel

    Thanks for the advice and breaking the story as I think I may have visited an infected site (well it linked to the goatse website when I clicked on a users name who was runnning a script) But I have changed my password to a very strong one and logged out with only clearing of my cookies left to do.

    Damn it 4Chan

  • Daniel

    Thanks for the advice and breaking the story as I think I may have visited an infected site (well it linked to the goatse website when I clicked on a users name who was runnning a script) But I have changed my password to a very strong one and logged out with only clearing of my cookies left to do.

    Damn it 4Chan, you guys are funny but sometimes take it too far!

    • ShrubberyDemander

      It wasn't 4chan. It was Ebaum's World. Common mistake.

      • Daniel

        So how come so many 4Chan users are taking responsibility and claiming it was them? Or do you think It could've been a combination of both with the exploit been posted to both sites?

      • http://www.pallab.net Pallab De

        As I mentioned in the article, I am not sure about the origin exploit (as in who discovered the vulnerability). But, 4Chan definitely played a part in spreading the news. Just a short while ago, there were threads in /b/ discussing how to exploit the vulnerability and sharing hacked youtube username/passwords.

        • Anon

          While 4chan may not have discovered the vulnerability, they were the ones who definitely raided youtube.

    • eBaumfan

      No silly, 4chan uses the rules of the internet. Rules 1+2 indicate that they do not say it was them, so some other website cops it. Usually it's eBaums, cause they're faggots and steal everything. We don't like people visiting our site because then "newfags" (oldfags trollin') come along and make everything pissweak. It was 4chan…

  • where_am_i?

    Thank you Ebaumsworld!!!

  • http://www.twitter.com/rushton2 Andrew

    It's fixed now.

  • Erick

    Why does 4chan always get blamed for ebaums world's doing?

    • Anon

      Because 4chan caused the raid.

      I was there…(not participating, of course)

  • anonymous

    he he, 4chan did a good thing spreading the word with a funny intent, doubt you will get infected if you don't click on show hidden comments as it;'s the thing that triggers it

  • [email protected]

    This exploit shows that we still have the power to shake the base of internet. This day will be remembered along with 4chan.

    • anon666

      It was ebaumsworld. everyone knows that. What are you talking about?

  • techie666

    XHTML: You can use these tags: title="O M G ">

    I have evidence this evil attack comes from this evil mindet retards of ebaumsworld.

    O M G, when will lawenforcement stop this bad bad boys, when.

  • Mesis

    Man it’s those a-holes from Ebaums World again :/ When will they ever stop, I need my daily dosage of youtube!

    DAMN YOU EBAUMS, DAMN YOU TO HELL!

  • http://www.technologyslice.com.au Tech

    I think Google already fixed this. In 2 hours they claim.

  • http://actionmanage.com/ Dan

    Hi,

    For the past 3 days or so their email service Gmail has been all messed up for thousands if no millions of people…

    you can login…but you cannot read any emails….

    And they act like its no big deal….

    Read their lame responses to the problem(s)

    http://www.google.com/support/forum/p/gmail/threa

    ___

    Insane….what are we back in 1999?

    BTW: "Notify me of followup comments via e-mail"

    I cannot even use it…because being able to READ EMAILS…kinda the most important part.

    Looks like MS is starting to turn into what Google WAS ( competent) and Google is turning into what MS was ( Incompetent)

    ___

    Peace!

    Dan

  • anonymous

    ehh? good 2 know

 
Copyright 2006-2012 Techie Buzz. All Rights Reserved. Our content may not be reproduced on other websites. Content Delivery by MaxCDN