Justin Bieber fans under fire in YouTube XSS attack
July 5, 2010 by admin
Filed under Security News
162 views Leave a Comment
If there are any breathless fans of Justin Bieber reading this – let me calm you straight away: Justin Bieber has not died in a car crash.
But you may have imagined that he did if you checked out some of his YouTube videos this long US Independence Day holiday weekend, or read one of the many internet rumours that spread over the last day or so.
A vulnerability in YouTube’s comment system was exploited widely this weekend, allowing mischief-makers to embed code through a cross-site scripting (XSS) flaw. And one of the things they did was post messages claiming that the teen pop sensation had died in a car crash.
Normally YouTube is smart enough to weed out offending code left in the comments left for videos, but it appears that the hackers found a way to waltz past the site’s defences.
Those watching YouTube videos of Justin Bieber and others could find their eyeballs assaulted by other prankish pop-ups and offensive messages or redirected to tasteless websites.
It took about two hours before Google, YouTube’s parent company, got things under control.
XSS attacks are a serious problem, of course. Potentially they can fool unsuspecting users into handing over their login details (although this doesn’t appear to have happened on this occasion) or direct them to a malicious webpage.
Related posts:
- YouTube on IE is forcing to update the flash player
- Microsoft Warns of IE Exploit Code in The Wild
- Want to see who has viewed your Facebook profile? Take care..
- Shortcut zero-day attack code goes public
- Microsoft IIS web server under attack from hackers
