Update: looks like YouTube solved the issue. The word “script” has been blacklisted and removed from all comments, the injection scripts are no longer working.
If you’ve visited YouTube today (4th of July, 2010), chances are that you’ve seen some strange things going on in the comments section of popular (& unpopular) vids.
There is an HTML injection exploit wreaking havoc in the comments section of YouTube videos. HTML Injection refers to injecting HTML code into a web servers response to alter the content to the end user.
The basic form of the exploit that most people use is
<script><script>IF_HTML_FUNCTION ?<h1><marquee>insert whatever text you want in marquee here<script>. If you’re computer savvy you’ll know that the
<script> is actually the entity name for
<script> and that
IF_HTML_FUNCTION has nothing to do with it. Which makes the actual exploit code be
The security of the YouTube comments does not allow any HTML code after the first
<script> to survive, but apparently if the HTML is placed after the second one it survives unscratched. And that is a pretty big security issue for them.
Should you be worried about the exploit?
There can be numerous implementations for it. From harmless to disgusting to potentially damaging if you are a YouTube partner.
Probably the most widespread use of the newly found exploit is marquee text. That is because most internet users don’t know any HTML coding and use the basic exploit code, which only inserts a marquee text and doesn’t allow any comments posted before it to be loaded (the comments are not deleted). Risk factor: none.
Another use of the YouTube exploit is redirecting to other URLs. Most redirects are either to porn pages (yay?) or a disgusting image of a guy. But redirects can also be used to send users to pages that can potentially install harmful software on their machines. Risk factor: medium to high.
My recommendation is to log out of your YouTube account and don’t watch any videos until this has been fixed (it should be fixed soon as it is a major issue with deep implications).
If this was helpful to you, tell your friends about it.
Note: all posted code is strictly for informative purposes. Do not use it “for fun” or “to see what happens.” Any misuse falls under your responsibility.
Liked this post? Subscribe for updates via RSS or email: