The Register® — Biting the hand that feeds IT

Feeds

YouTube vuln pwns Justin Bieber fans

Hackers and pranksters began exploiting a newly discovered scripting flaw on YouTube on Sunday, provoking rumours that a virus was spreading on the site. The cross-site scripting flaw (XSS) on the video-sharing website created a means for hackers to post JavaScript code in the comments sections of videos. The flaw meant that …

This topic is closed for new posts.
Anonymous Coward
FAIL

I don't have the full details...

but it seemed that all you had to do was wrap your script in a <script> tag.

epic fail?

This post has been deleted by its author

Piro
Reply Icon

Well...

One of them invokes my gag reflex..

The other one's goatse

Anonymous Coward
Thumb Up

People who compare Google to Apple

Please note that Google hasn't said "The bloody stupid users are using Youtube wrong", not has Sergey Brin or Larry Page posted a comment saying "Its just common sense to not search for Justin Beiber".

They stopped the problem spreading and then fixed it. A quick, efficient and sensible response. They _may_ be becoming something of a potentially evil empire, but at least they're efficient about it! Look at the mess Labour made of the same thing...

Thumbs up, Google.

TeeCee
Thumb Down

Pwning Justin Bieber fans.

So the s'kiddies have given up on trying for the low-hanging fruit and resorted to picking up windfalls?

It's all very sad.

Stefing
Jobs Horns

iMagine...

There was no error, the reporting of the error was wrong and we have corrected the reporting of the error by changing the size of the the fault.

Also: you're doing it wrong, with your stupid monkey hands.

mark?
Alert

XSS?

There was no cross-site scripting flaw. It was a html injection flaw!

You could NOT execute JS code on YouTube visitors, but you could use the "<body onload=CodeHere>" it was possible to do "bad" stuff to Justin Bieber fans :P

Anonymous Coward
Unhappy

Oh dear

I take it Mr Efron is well and truly past it and we now have our offspring clamering after what is effectively a "world famous foetus"?

"I used to be with it, then they changed what 'it' was and now 'it' seems awful scary to me!" - Grandpa Simpson

Sarah Bee
(Written by Reg staff)
Reply Icon

Re: Oh dear

"Now what I'm with isn't it."

Anonymous Coward
Unhappy

Stop dissing Ms. Bieber

She's already got insecurity issues over her undeveloped bust.

Anonymous Coward
Flame

Romanian Web Security Team Discovered This Vuln

I have read many news about this vuln and no one credited TinKode from Romanian InSecurity Team who discovered first the issue and published details and a proof-of-concept on his blog on 3rd of July (http://blog.insecurity.ro/youtube-html-code-injection/)

heyrick

I can understand why it was a "virus" scare.

The report that I saw, and not on a Ms. Bieber video (who is she, anyway?), said:

"Your computer is f***ed. You can thank <name> for this devastation."

I dimly recall the name sounding Germanic, and there were no asterisks. Did NoScript prevent a payload from another site, or was it just a Scary Message?

I spent Sunday afternoon running all my anti-whatever tools "just to be sure". No harm no foul. :-)

BTW, I'm quite amused by the message saying to delete the System32 folder. The worrying thing is how many people may well have just done that...

John Tserkezis

Whew!

How lucky was I to have the "Shaved Beiber" plugin installed and enabled?

I've averted some serious brain damage there. Well, more brain damage.

Carter Cole
FAIL

too busy blowing stuff up

im sad i missed this xss attack... google seems like they fixed it quick.

This topic is closed for new posts.