Link to the report of Xssed.com's archive entry: http://www.xssed.com/mirror/25330/
The XSS vulnerability was reported on 7th Nov and is unpatched still.
The format of this specific vulnerability issue is quite simple – and easy to avoid. |
I tested on IE7 and Firefox in Safe mode (with all add-ons disabled), and seems like that only IE is effected. (probably the way it passes URLs)
Since YouTube is not on Google.com, I wouldn't worry too much about it, but if you are some kind of YouTube celebrity, take precautions.
I was thinking the other day that cookies like these should be hashed with the IP as part of the salt. Do you think it would more effective against XSS? |
Haochi, if you use the IP as part of the salt you make life hard for people on dialup who get a different dynamic IP every time they connect. Sometimes they won't even have closed their browser window in the meantime, so session cookies are still alive. |
> Since YouTube is not on Google.com, I wouldn't > worry too much about it, but if you are some kind > of YouTube celebrity, take precautions.
You can log-in with your Google Account credentials to YouTube though. Not that that makes a difference in terms of XSS as it's still not google.com... |