Google Blogoscoped

Forum

Good job coding YouTube? [HTML injection vulnerability]

WebSonic.nl [PersonRank 10]

Sunday, July 4, 2010
14 years ago10,702 views

Don't know why, don't know what it is but when clicking on the tweet from YouTube I got the following on my screen (Firefox and Chrome), see the screenshot.

http://lh3.ggpht.com/_J7sG-Fm0a5Q/TDCLM4ffXAI/AAAAAAAACHs/tiuUoALhgwA/goodjobcoding_youtube.jpg

The tweet: http://twitter.com/youtube/statuses/17718771873
The video: http://www.youtube.com/watch?v=vgbvKlGTwPg&

WebSonic.nl [PersonRank 10]

14 years ago #

Problem exist in the reactions, some posted a simple code that takes over the full screen :-).

Roger Browne [PersonRank 10]

14 years ago #

If you view the page source, you'll see that user nfani0 posted some inline CSS that didn't get properly sanitised by YouTube. The CSS displayed his comment across the whole screen.

But it's just a layout corruption, not a virus or anything.

WebSonic.nl [PersonRank 10]

14 years ago #

Yes the good old marguee element :-)

TOMHTML [PersonRank 10]

14 years ago #

Youtube page is normal for me, in french I get this message "Certains commentaires sur la vidéo ont été masqués en mode sécurisé" (Some comments have been hidden in secure mode).

The comment of nfani0 is now just : < script >

TOMHTML [PersonRank 10]

14 years ago #

[put at-character here]Websonic I've tried to post the same code you published on your website but it doesn't work and is automatically hidden.

WebSonic.nl [PersonRank 10]

14 years ago #

True, I tried that too, to see if I could take over the page as well but it didn't work for me either. Problem is already tackled I presume.

TOMHTML [PersonRank 10]

14 years ago #

No, because I've tested again the video page with Google Chrome and that time, after clicking on "show hidden messages" the hack works.
It seems that, after the click, comments are loaded in AJAX and the code use a vulnerabilty of this. But I'm unable to reproduce that again by myself.

Rohit Srivastwa [PersonRank 10]

14 years ago #

So what was the XSS string ??
a simple marque cannot hijack the whole page, there might be few more elements too.

WebSonic.nl [PersonRank 10]

14 years ago #

In my case I only noticed the marquee element. At that time the message was still on the page and working. But with a little CSS added to the marquee element you could take over easily. It was an overlay this way, the video was just behind it playing, only not vissible.

TOMHTML [PersonRank 10]

14 years ago #

As the message is no longer in the 10 latest messages, it doesn't trigger the moving message anymore.

Philipp Lenssen [PersonRank 10]

14 years ago #

Here's a report of a YouTube comments HTML injection vulnerability, found via Reddit:
http://www.google.com/support/forum/p/youtube/thread?tid=2059b45a2a699910&hl=en

(I can't normally access YouTube from China.)

nfani0 [PersonRank 0]

14 years ago #

It was more or less just a test by me to see if the vulnerability (figured out by other people, not me) actually worked. Turned out trying to remove the comment after exploiting the vulnerability didn't work out too well as the interface was no longer responding properly. I see the situation seems to be normal again now though. The code I used is visible in the comments and it's just missing the word script from inside the first and last set of <>.

TOMHTML [PersonRank 10]

14 years ago #

Thank you for the explaination, nfani0!

Juha-Matti Laurio [PersonRank 10]

14 years ago #

Covered via Internet Storm Center too, they promised to inform when details available:

http://isc.sans.edu/diary.html?storyid=9130

Philipp Lenssen [PersonRank 10]

14 years ago #

Here's an update from BBC:
http://news.bbc.co.uk/2/hi/technology/10506150.stm

Juha-Matti Laurio [PersonRank 10]

14 years ago #

Also via ComputerWorld's's Google confirms attack on YouTube:

http://www.computerworld.com/s/article/9178861/Google_confirms_attack_on_YouTube

ISC has no details posted yet, however
http://blogoscoped.com/forum/172327.html#id172348

Forum home

Advertisement

 
Blog  |  Forum     more >> Archive | Feed | Google's blogs | About
Advertisement

 

This site unofficially covers Google™ and more with some rights reserved. Join our forum!