CyberInsecure.com

Daily cyber threats and internet security news: network security, online safety and latest security alerts
July 5th, 2010

YouTube Cross-site Scripting Flaw Abused By Hackers, Redirects Visitors To Fake Or Malicious Sites

Hackers and pranksters began exploiting a newly discovered scripting flaw on YouTube on Sunday, provoking rumours that a virus was spreading on the site.

The cross-site scripting flaw (XSS) on the video-sharing website created a means for hackers to post JavaScript code in the comments sections of videos. The flaw meant that this JavaScript code was run on the machines of surfers viewing the same video clip.

Predictable enough, pranksters at 4Chan have begun using the vulnerability to redirect surfers looking for Justin Bieber video clips to goatse or false reports that the irksomely clean-cut Canadian singer had died in a car crash. Denizens of 4Chan are separately trying to rig an online poll to encourage Beiber to play North Korea in an upcoming tour.

In other cases the flaw has become the fodder of comment spam. Google iced the problem hours after it first appeared, techie-buzz.com reports.

“We took swift action to fix a cross-site scripting (XSS) vulnerability on youtube.com that was discovered several hours ago,” said Google. “Comments were temporarily hidden by default within an hour, and we released a complete fix for the issue in about two hours. We’re continuing to study the vulnerability to help prevent similar issues in the future.”

The appearance of the vulnerability sparked rumours on Twitter and elsewhere that a virus was spreading across YouTube. A blog post by Chris Boyd of Sunbelt charts the genesis of this rumour, which is just the sort of thing that’s likely be used in new anti-virus (scareware) scams.

Security watchers at the Internet Storm Centre note that the vulnerability on YouTube might potentially have been used for all manner of hacking attacks, including password stealing scams.

“They [hackers] could steal your YouTube cookies, which probably doesn’t mean much to them, but they could also post various JavaScript code that will execute in your browser, in the context of YouTube,” an ISC handler writes. “I’ve seen nasty XSS attacks that are used to fake whole login screens and we know how many people use [the] same passwords for multiple accounts.”

Credit: The Register

Share this item with others:

More on CyberInsecure:
  • Hacked Obama Site Redirects Visitors to Clinton’s Site
  • Another Cross-Site Scripting Vulnerability On eBay Domain Sites Allows Phishing
  • Cross-site Scripting Vulnerability Found In MI5 Website By A Hacker
  • High Ranking Websites Spread Malware Through Cross-Site Scripting Vulnerabilities
  • New Cross-Site Scripting Vulnerability Found On Facebook

    • Posted in Breaches And Incidents, Google, Scams, Spam, Targeted Attacks, XSS | Print This Post Print This Post

    This entry was posted on Monday, July 5th, 2010 at 3:26 am and is filed under Breaches And Incidents, Google, Scams, Spam, Targeted Attacks, XSS. You can follow any responses to this entry through the RSS 2.0 feed. You can leave a response, or trackback from your own site.

    If you found this information useful, consider linking to it from your own website.
    Just copy and paste the code below into your website (Ctrl+C to copy)
    It will look like this: YouTube Cross-site Scripting Flaw Abused By Hackers, Redirects Visitors To Fake Or Malicious Sites

    Leave a Reply

    Comments with unsolicited links to other resources will be marked as spam. DO NOT leave links in comments. Please leave your real email, it wont be published.

    *
    To prove you’re a person (not a spam script), type the security word shown in the picture. Click on the picture to hear an audio file of the word.

    « «
    » »