YouTube hack: No virus, just a XSS flaw – and it’s already fixed

This Independence Day weekend seemed like the perfect time for hackers to take advantage of a cross-site scripting vulnerability in YouTube’s comments to bombard the users with annoying pop-ups that often contained fake news of a deadly car crash that involved teen star Justin Bieber and links that would take them to adult-content sites. The hackers even managed to disable comments altogether.

The hackers managed to bypass the filter that sanitizes the HTML code employed in the comments, and insert their own scripts. The attack was extremely simple to execute – two script tags in a row allowed the hackers to insert Javascript in the comments.

Luckily for the users, YouTube reacted promptly. “Comments were temporarily hidden by default within an hour, and we released a complete fix for the issue in about two hours,” said the Google spokesman, and din’t offer any details about the fix. ars technica speculates that they have probably stripped the comments of the double script tags and adjusted the HTML filter.

In the two hours this was going on, rumors and warnings of viruses and infections waiting for YouTube users ran rampant on Twitter.

“If this exploit had been discovered by a professional moneymaking outfit, there could have been all sorts of subtle attacks taking place for a long time – not good, given the apparent simplicity of the attack,” wrote Sunbelt’s Christopher Boyd, who posted different examples of how the flaw was picked up and misused by scammers: redirects to porn sites that steal email addresses, malware warnings that tried to get the users to delete the System32 folder, and others.