Warning: Highly Critical XSS Vulnerability Discovered in YouTube

YouTube-VulnerabilityIt appears that YouTube is vulnerable to XSS (cross-site scripting) attacks. Details are scarce since this is a breaking story. However, according to preliminary information available with us, it is possible to hijack cookies to gain access to a logged-in user’s Gmail and YouTube accounts.

Although, it’s unclear who discovered this vulnerability, 4Chan users are already trying to actively exploit it. The exploit makes use of PHP, JavaScript, and XSS, and is being spread through comments on videos. Any logged in user who has browsed to an infected page is vulnerable. The best solution is to completely log out of YouTube until this issue has been fixed. If you are worried that you have viewed an infected video, delete all your cookies.

Spread the word to your friends and family members and help them stay protected. We will update you as soon as we learn more.

Update 1: TheNextWeb is reporting that Justin Bieber videos are being targeted in a big way.

Update 2: YouTube has now blocked all scripts from comments. However, video titles are also vulnerable and video responses are now being used to exploit the vulnerability.

Update 3: Google has issued an official statement.

19 thoughts on “Warning: Highly Critical XSS Vulnerability Discovered in YouTube”

  1. Thanks for the advice and breaking the story as I think I may have visited an infected site (well it linked to the goatse website when I clicked on a users name who was runnning a script) But I have changed my password to a very strong one and logged out with only clearing of my cookies left to do.

    Damn it 4Chan

  2. Thanks for the advice and breaking the story as I think I may have visited an infected site (well it linked to the goatse website when I clicked on a users name who was runnning a script) But I have changed my password to a very strong one and logged out with only clearing of my cookies left to do.

    Damn it 4Chan, you guys are funny but sometimes take it too far!

      1. So how come so many 4Chan users are taking responsibility and claiming it was them? Or do you think It could've been a combination of both with the exploit been posted to both sites?

      2. As I mentioned in the article, I am not sure about the origin exploit (as in who discovered the vulnerability). But, 4Chan definitely played a part in spreading the news. Just a short while ago, there were threads in /b/ discussing how to exploit the vulnerability and sharing hacked youtube username/passwords.

    1. No silly, 4chan uses the rules of the internet. Rules 1+2 indicate that they do not say it was them, so some other website cops it. Usually it's eBaums, cause they're faggots and steal everything. We don't like people visiting our site because then "newfags" (oldfags trollin') come along and make everything pissweak. It was 4chan…

  3. he he, 4chan did a good thing spreading the word with a funny intent, doubt you will get infected if you don't click on show hidden comments as it;'s the thing that triggers it

  4. [email protected] says:

    This exploit shows that we still have the power to shake the base of internet. This day will be remembered along with 4chan.

  5. XHTML: You can use these tags: title="O M G ">

    I have evidence this evil attack comes from this evil mindet retards of ebaumsworld.

    O M G, when will lawenforcement stop this bad bad boys, when.

  6. Man it’s those a-holes from Ebaums World again :/ When will they ever stop, I need my daily dosage of youtube!

    DAMN YOU EBAUMS, DAMN YOU TO HELL!

  7. Hi,

    For the past 3 days or so their email service Gmail has been all messed up for thousands if no millions of people…

    you can login…but you cannot read any emails….

    And they act like its no big deal….

    Read their lame responses to the problem(s)

    http://www.google.com/support/forum/p/gmail/threa

    ___

    Insane….what are we back in 1999?

    BTW: "Notify me of followup comments via e-mail"

    I cannot even use it…because being able to READ EMAILS…kinda the most important part.

    Looks like MS is starting to turn into what Google WAS ( competent) and Google is turning into what MS was ( Incompetent)

    ___

    Peace!

    Dan

Leave a Reply

Your email address will not be published. Required fields are marked *

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <s> <strike> <strong>