I don't have the full details...
but it seemed that all you had to do was wrap your script in a <script> tag.
One of them invokes my gag reflex..
The other one's goatse
People who compare Google to Apple
Please note that Google hasn't said "The bloody stupid users are using Youtube wrong", not has Sergey Brin or Larry Page posted a comment saying "Its just common sense to not search for Justin Beiber".
They stopped the problem spreading and then fixed it. A quick, efficient and sensible response. They _may_ be becoming something of a potentially evil empire, but at least they're efficient about it! Look at the mess Labour made of the same thing...
Thumbs up, Google.
Pwning Justin Bieber fans.
So the s'kiddies have given up on trying for the low-hanging fruit and resorted to picking up windfalls?
It's all very sad.
There was no error, the reporting of the error was wrong and we have corrected the reporting of the error by changing the size of the the fault.
Also: you're doing it wrong, with your stupid monkey hands.
There was no cross-site scripting flaw. It was a html injection flaw!
You could NOT execute JS code on YouTube visitors, but you could use the "<body onload=CodeHere>" it was possible to do "bad" stuff to Justin Bieber fans :P
I take it Mr Efron is well and truly past it and we now have our offspring clamering after what is effectively a "world famous foetus"?
"I used to be with it, then they changed what 'it' was and now 'it' seems awful scary to me!" - Grandpa Simpson
Re: Oh dear
"Now what I'm with isn't it."
Stop dissing Ms. Bieber
She's already got insecurity issues over her undeveloped bust.
Romanian Web Security Team Discovered This Vuln
I have read many news about this vuln and no one credited TinKode from Romanian InSecurity Team who discovered first the issue and published details and a proof-of-concept on his blog on 3rd of July (http://blog.insecurity.ro/youtube-html-code-injection/)
I can understand why it was a "virus" scare.
The report that I saw, and not on a Ms. Bieber video (who is she, anyway?), said:
"Your computer is f***ed. You can thank <name> for this devastation."
I dimly recall the name sounding Germanic, and there were no asterisks. Did NoScript prevent a payload from another site, or was it just a Scary Message?
I spent Sunday afternoon running all my anti-whatever tools "just to be sure". No harm no foul. :-)
BTW, I'm quite amused by the message saying to delete the System32 folder. The worrying thing is how many people may well have just done that...
How lucky was I to have the "Shaved Beiber" plugin installed and enabled?
I've averted some serious brain damage there. Well, more brain damage.
too busy blowing stuff up
im sad i missed this xss attack... google seems like they fixed it quick.