14 DAY TRIAL // YouTube was plagued by a serious cross-site scripting vulnerability over the weekend. Until Google moved in to pattch it, the bug was abused by unnamed attackers to poison the comments on multiple videos.
Rumors of viruses being spread through YouTube started sometime on Sunday, and the news quickly took off on Twitter. A message reading "Listen up guys : Don't watch any youtube videos or comment them today, there's a virus! Spread!," made it into the "top tweets."
The problem was tracked down to malicious JavaScript that was inserted into comments by exploiting a persistent XSS flaw. It appears videos related to teen sensation Justin Bieber, who has a huge fan base online, were most targeted.
Cross-site scripting (XSS) vulnerabilities stem from improper validation of user input submitted through forms and allow attackers to inject unauthorized code into the page. There are several types of XSS flaws, the most common being persistent, which results in permanent changes to the affected page, and reflected, which can only be exploited by tricking the user into opening a malformed URL.
It looks like the YouTube XSS bug was persistent in nature. In a message posted on Twitter, Mikko H. Hypponen, chief research officer at Finnish antivirus vendor F-Secure, explains that the "2nd tag in '<script><script>' is not escaped, enabling comments with Javascript embedded in them."
A Romanian grey hat hacker calling himself TinKode took credit for the discovery of the flaw. The security enthusiast disclosed it in a post on a hacking blog on Saturday. From there, it was picked up by members of 4chan, a well known hang-out place for Internet pranksters, who used it to attack Bieber fans.
Fortunately Google moved in quickly to patch the flaw. "We took swift action to fix a cross-site scripting (XSS) vulnerability on youtube.com that was discovered several hours ago. Comments were temporarily hidden by default within an hour, and we released a complete fix for the issue in about two hours. We’re continuing to study the vulnerability to help prevent similar issues in the future," a Google representative told Techie Buzz.
You can follow the editor on Twitter @lconstantin