Google Blogoscoped

Forum

Cross-site scripting vuln on YouTube

Juha-Matti Laurio [PersonRank 10]

Thursday, November 8, 2007
16 years ago2,503 views

Link to the report of Xssed.com's archive entry:
http://www.xssed.com/mirror/25330/

The XSS vulnerability was reported on 7th Nov and is unpatched still.

The format of this specific vulnerability issue is quite simple – and easy to avoid.

Haochi [PersonRank 10]

16 years ago #

I tested on IE7 and Firefox in Safe mode (with all add-ons disabled), and seems like that only IE is effected. (probably the way it passes URLs)

Since YouTube is not on Google.com, I wouldn't worry too much about it, but if you are some kind of YouTube celebrity, take precautions.

I was thinking the other day that cookies like these should be hashed with the IP as part of the salt. Do you think it would more effective against XSS?

Roger Browne [PersonRank 10]

16 years ago #

Haochi, if you use the IP as part of the salt you make life hard for people on dialup who get a different dynamic IP every time they connect. Sometimes they won't even have closed their browser window in the meantime, so session cookies are still alive.

Philipp Lenssen [PersonRank 10]

16 years ago #

> Since YouTube is not on Google.com, I wouldn't
> worry too much about it, but if you are some kind
> of YouTube celebrity, take precautions.

You can log-in with your Google Account credentials to YouTube though. Not that that makes a difference in terms of XSS as it's still not google.com...

Forum home

Advertisement

 
Blog  |  Forum     more >> Archive | Feed | Google's blogs | About
Advertisement

 

This site unofficially covers Google™ and more with some rights reserved. Join our forum!