Update: looks like YouTube solved the issue. The word “script” has been blacklisted and removed from all comments, the injection scripts are no longer working.
If you’ve visited YouTube today (4th of July, 2010), chances are that you’ve seen some strange things going on in the comments section of popular (& unpopular) vids.
The red text is marquee. It's a harmless implementation of the exploit
There is an HTML injection exploit wreaking havoc in the comments section of YouTube videos. HTML Injection refers to injecting HTML code into a web servers response to alter the content to the end user.
The basic form of the exploit that most people use is <script><script>IF_HTML_FUNCTION ?<h1><marquee>insert whatever text you want in marquee here<script>. If you’re computer savvy you’ll know that the <script> is actually the entity name for <script> and that IF_HTML_FUNCTION has nothing to do with it. Which makes the actual exploit code be <script><script>HTML_PAYLOAD_CODE.
The security of the YouTube comments does not allow any HTML code after the first <script> to survive, but apparently if the HTML is placed after the second one it survives unscratched. And that is a pretty big security issue for them.
Should you be worried about the exploit?
There can be numerous implementations for it. From harmless to disgusting to potentially damaging if you are a YouTube partner.
Probably the most widespread use of the newly found exploit is marquee text. That is because most internet users don’t know any HTML coding and use the basic exploit code, which only inserts a marquee text and doesn’t allow any comments posted before it to be loaded (the comments are not deleted). Risk factor: none.
Another use of the YouTube exploit is redirecting to other URLs. Most redirects are either to porn pages (yay?) or a disgusting image of a guy. But redirects can also be used to send users to pages that can potentially install harmful software on their machines. Risk factor: medium to high.
Probably the most damaging use of the exploit is the fact that it allows the use of javascript code, which can be used to steal YouTube session cookies – or launch more complex malicious attacks. What this means is that upon visiting a page that has such a code on it, the attacker could gain access to your YouTube session cookie, which is a cookie that authenticates you – the reason why you are not automatically logged out of YouTube every time you leave the page or restart your browser. Using that cookie, the exploiter can then log into the YouTube account associated with it (and delete all your videos, upload random ones, change settings, etc). They cannot change your password though, because that requires access to your email account too. Also, this should be easy to “bypass.” All you have to do if you think you might have visited a YouTube page that had such a comment exploit on it is log out of YouTube – that makes the session stored in the cookie useless, so you won’t have foreign users on your account. Risk factor: medium to high.
My recommendation is to log out of your YouTube account and don’t watch any videos until this has been fixed (it should be fixed soon as it is a major issue with deep implications).
If this was helpful to you, tell your friends about it.
Note: all posted code is strictly for informative purposes. Do not use it “for fun” or “to see what happens.” Any misuse falls under your responsibility.
Pingback: Conveyancing Solicitor