Home Code Snippets Oracle Reference Oracle Functions Oracle Error Codes Forum Oracle Jobs Oracle Blogs

YouTube Stung By HTML Injection Attack

YouTube users got a special treat on July 4th- a large-scale attack was done against thousands of pages on the site using a simple HTML injection vulnerability in the comment system. The attack caused effects such as blacked out pages with enormous text scrolling across them, blanked out pages, and lots of redirects to "shock site" (which we're not Not NOT going to detail here, but suffice it to say that some of the sites users got sent to were pretty awful).

Early rumors suggest that users from the site "4chan" were behind the mischief, but details are sparse at this time. It also appears that once news of the vulnerability got out, lots of parties start using it. Digg, ebaumsworld, and several other sites are claimed to have joined in the fun as word spread.

I've said it before and I'll say it again: any web site accepting any kind of input from users needs to validate all input rigorously. In this canse the exploit was performed by placing a <script> tag at the very beginning of a post. The tag gets escaped properly but everything following it is placed in the page without any filtering. Which means people could post nearly anything they felt like to any YouTube page. And they did.

YouTube acted quickly and blocked comments containing <script> tags from being posted, and at the same time they also set the comments section to be hidden by default. This resulted in all comments being temporarily hidden (and, as the saying goes, "nothing of value was lost", since YouTube comments are widely regarded as some of the most idiotic human-produced text on the net).

Why YouTube didn't check user input to look for offending tags in fields they knew would be rendered by an HTML interpreter is quite the puzzler, and also shows that any site can be vulnerable.

But here's some food for thought….what if 4chan hadn't gotten a hold of the vulnerability? What if some serious scammers, spammers, or phishers did? And what if they used it for weeks? It would have been more subtle, and with YouTube's traffic it could have been massively successful. Who knows what effect that could have had if this wasn't caught quickly. And worst of all, who's to say that this didn't happen already?

But look on the bright side- at least they didn't redirect ALL the affected pages to something really offensive.

This entry was posted in Uncategorized and tagged , , , . Bookmark the permalink. Follow any comments here with the RSS feed for this post. Post a comment or leave a trackback: Trackback URL.

Post a Comment

Your email is never published nor shared. Required fields are marked *


You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <strike> <strong>

Spam Protection by WP-SpamFree