Enthusiastic YouTube fans were greeted with frustrating pop-ups, disabled comments, and even porn redirects over Independence Day weekend as they were scouting for their favourite videos. A group of malevolent pranksters believed to be from 4chan was able to take advantage of a cross-site scripting vulnerability in You Tube’s comments on Sunday, crashing as many video pages as possible before Google stepped in with a way out.
And You Tube didn’t find out about it until 5 to 8 hours after it first started. The “hack” was pretty interesting. It first started off as a simple way to disable comments. Then it got more complicated and went to pop-ups, redirects to porn sites, entirely blanking out or altering the page, and browser crashing.
The YouTube usage laws restrict the use of HTML in the comments section for videos, and with good reason. This was to prevent any such incident as cross-site scripting as the one that took place. There is also a filter been employed by YouTube to ensure any HTML content used in the comments was properly scrutinized, but there was a flaw that allowed the 4chan crowd to get past the block with their own scripts.
The Hack was as simple as using two script tags in a row (<script><script>fun scripting goes here!)
the first of the tags would get stripped and the second was allowed and would allow posting links in the comments in You Tube, this flaw enabled redirects to shock sites and annoying pop-ups.
This led to a huge turmoil among the fans of Justin Bieber videos on the Independence day weekend as observers reported that his videos were the ones’ heavily targeted. As the Porn pranksters had a field day with You Tube injection flaw were able to insert HTML code into You Tube pages devoted to Bieber and greet fans with redirects to adult content as well as a numerous pop-up messages, including one claiming the 16-year old star had been killed in a car accident.
When contacted You Tube confirmed this incident and stated that the comments were temporarily disabled and a fix was issued immediately, however observers reported stating it took about 5 to 8 hours before You Tube stepped in with a fix. “We are continuing to study the vulnerability to help prevent similar issues in the future,” the Google spokesperson said.
This kind of cross-site scripting incident reminds us that malicious pranksters have once again outwitted the smart brains at Google and also stating that it’s not always a great idea to give the users free reign over their own scripting codes. Security researchers have revealed it for years that social networking websites are a breeding ground for such pranksters and malware writers. That’s the reason why You Tube had such a restriction in the first place, but porn pranksters eventually had a field day with the injection flaw.