July 4, 2010   News, Vulnerabilities, Vulnerabilities & attacks, Web Security   10 Comments

Cross-site scripting on YouTube

XSS vulnerability in YouTube comments processing allows an attacker to execute arbitrary scripts in the security context.

Go on youtube. Choose any video. Add the following script:

[php]<script>IF_HTML_FUNCTION?<h1><marquee><font color="red"><u>add your comment here<script>[/php]

Update (1): It is better to stay away from YouTube until they fix the vulnerability or at least logging out of YouTube if you use it.

Update (2): Google has informed that the vulnerability has now been fixed:

We took swift action to fix a cross-site scripting (XSS) vulnerability on youtube.com that was discovered several hours ago. Comments were temporarily hidden by default within an hour, and we released a complete fix for the issue in about two hours. We’re continuing to study the vulnerability to help prevent similar issues in the future.

you can find the statement here.

make sure you subscribe to my RSS feed!

Related Posts:

Share
, ,
Subscribe
Notify of
guest
10 Comments
Oldest
Newest Most Voted
Inline Feedbacks
View all comments
trackback

[…] This post was mentioned on Twitter by Lance Miller, Mourad ben lakhoua and others. Mourad ben lakhoua said: Cross-site scripting on YouTube http://www.sectechno.com/2010/07/04/cross-site-scripting-on-youtube/ http://fb.me/xfnuNsdx […]

0
trackback

RT @Hfuhs: Cross-site scripting on YouTube fixed – http://fuhs.eu/1uk

0
trackback

Cross-site scripting on YouTube fixed – http://fuhs.eu/1uk

0
trackback

RT @MBenLakhoua Google has informed that youtube XSS vulnerability has now been fixed http://bit.ly/bw5y5s

0
trackback

RT @MBenLakhoua Cross-site scripting on YouTube:

XSS vulnerability in YouTube comments processing allows an… http://bit.ly/cqqr3K

0
trackback

RT @silvakreuz: #Google has informed that #YouTube #XSS #vulnerability has now been fixed http://bit.ly/bw5y5s (via RT @paperghost @MBen …

0
trackback

RT: @klightowler: Google fixes cross-site scripting vulnerability on youtube.com http://bit.ly/9RZEwA < 4chan were having a field day

0
trackback

Google fixes cross-site scripting (XSS) vulnerability on youtube.com http://bit.ly/9RZEwA

0
trackback

#Google has informed that #YouTube #XSS #vulnerability has now been fixed http://bit.ly/bw5y5s (via RT @paperghost @MBenLakhoua)

0
trackback

RT @sectechno: Google has informed that youtube XSS vulnerability has now been fixed http://bit.ly/bw5y5s

0