back to article YouTube vuln pwns Justin Bieber fans

Hackers and pranksters began exploiting a newly discovered scripting flaw on YouTube on Sunday, provoking rumours that a virus was spreading on the site. The cross-site scripting flaw (XSS) on the video-sharing website created a means for hackers to post JavaScript code in the comments sections of videos. The flaw meant that …

COMMENTS

This topic is closed for new posts.
  1. Anonymous Coward
    FAIL

    I don't have the full details...

    but it seemed that all you had to do was wrap your script in a <script> tag.

    epic fail?

  2. This post has been deleted by its author

    1. Piro Silver badge

      Well...

      One of them invokes my gag reflex..

      The other one's goatse

  3. Anonymous Coward
    Thumb Up

    People who compare Google to Apple

    Please note that Google hasn't said "The bloody stupid users are using Youtube wrong", not has Sergey Brin or Larry Page posted a comment saying "Its just common sense to not search for Justin Beiber".

    They stopped the problem spreading and then fixed it. A quick, efficient and sensible response. They _may_ be becoming something of a potentially evil empire, but at least they're efficient about it! Look at the mess Labour made of the same thing...

    Thumbs up, Google.

  4. Stefing
    Jobs Horns

    iMagine...

    There was no error, the reporting of the error was wrong and we have corrected the reporting of the error by changing the size of the the fault.

    Also: you're doing it wrong, with your stupid monkey hands.

  5. TeeCee Gold badge
    Thumb Down

    Pwning Justin Bieber fans.

    So the s'kiddies have given up on trying for the low-hanging fruit and resorted to picking up windfalls?

    It's all very sad.

  6. mark?
    Alert

    XSS?

    There was no cross-site scripting flaw. It was a html injection flaw!

    You could NOT execute JS code on YouTube visitors, but you could use the "<body onload=CodeHere>" it was possible to do "bad" stuff to Justin Bieber fans :P

  7. Anonymous Coward
    Unhappy

    Oh dear

    I take it Mr Efron is well and truly past it and we now have our offspring clamering after what is effectively a "world famous foetus"?

    "I used to be with it, then they changed what 'it' was and now 'it' seems awful scary to me!" - Grandpa Simpson

    1. Sarah Bee (Written by Reg staff)

      Re: Oh dear

      "Now what I'm with isn't it."

  8. Anonymous Coward
    Unhappy

    Stop dissing Ms. Bieber

    She's already got insecurity issues over her undeveloped bust.

  9. Anonymous Coward
    Flame

    Romanian Web Security Team Discovered This Vuln

    I have read many news about this vuln and no one credited TinKode from Romanian InSecurity Team who discovered first the issue and published details and a proof-of-concept on his blog on 3rd of July (http://blog.insecurity.ro/youtube-html-code-injection/)

  10. heyrick Silver badge

    I can understand why it was a "virus" scare.

    The report that I saw, and not on a Ms. Bieber video (who is she, anyway?), said:

    "Your computer is f***ed. You can thank <name> for this devastation."

    I dimly recall the name sounding Germanic, and there were no asterisks. Did NoScript prevent a payload from another site, or was it just a Scary Message?

    I spent Sunday afternoon running all my anti-whatever tools "just to be sure". No harm no foul. :-)

    BTW, I'm quite amused by the message saying to delete the System32 folder. The worrying thing is how many people may well have just done that...

  11. John Tserkezis

    Whew!

    How lucky was I to have the "Shaved Beiber" plugin installed and enabled?

    I've averted some serious brain damage there. Well, more brain damage.

  12. Carter Cole
    FAIL

    too busy blowing stuff up

    im sad i missed this xss attack... google seems like they fixed it quick.

This topic is closed for new posts.

Other stories you might like