Don't know why, don't know what it is but when clicking on the tweet from YouTube I got the following on my screen (Firefox and Chrome), see the screenshot.
http://lh3.ggpht.com/_J7sG-Fm0a5Q/TDCLM4ffXAI/AAAAAAAACHs/tiuUoALhgwA/goodjobcoding_youtube.jpg
The tweet: http://twitter.com/youtube/statuses/17718771873 The video: http://www.youtube.com/watch?v=vgbvKlGTwPg&
|
Problem exist in the reactions, some posted a simple code that takes over the full screen :-). |
If you view the page source, you'll see that user nfani0 posted some inline CSS that didn't get properly sanitised by YouTube. The CSS displayed his comment across the whole screen.
But it's just a layout corruption, not a virus or anything. |
Yes the good old marguee element :-) |
Youtube page is normal for me, in french I get this message "Certains commentaires sur la vidéo ont été masqués en mode sécurisé" (Some comments have been hidden in secure mode).
The comment of nfani0 is now just : < script > |
Websonic I've tried to post the same code you published on your website but it doesn't work and is automatically hidden. |
True, I tried that too, to see if I could take over the page as well but it didn't work for me either. Problem is already tackled I presume. |
No, because I've tested again the video page with Google Chrome and that time, after clicking on "show hidden messages" the hack works. It seems that, after the click, comments are loaded in AJAX and the code use a vulnerabilty of this. But I'm unable to reproduce that again by myself. |
So what was the XSS string ?? a simple marque cannot hijack the whole page, there might be few more elements too. |
In my case I only noticed the marquee element. At that time the message was still on the page and working. But with a little CSS added to the marquee element you could take over easily. It was an overlay this way, the video was just behind it playing, only not vissible. |
As the message is no longer in the 10 latest messages, it doesn't trigger the moving message anymore. |
Here's a report of a YouTube comments HTML injection vulnerability, found via Reddit: http://www.google.com/support/forum/p/youtube/thread?tid=2059b45a2a699910&hl=en
(I can't normally access YouTube from China.) |
It was more or less just a test by me to see if the vulnerability (figured out by other people, not me) actually worked. Turned out trying to remove the comment after exploiting the vulnerability didn't work out too well as the interface was no longer responding properly. I see the situation seems to be normal again now though. The code I used is visible in the comments and it's just missing the word script from inside the first and last set of <>. |
Thank you for the explaination, nfani0! |
Covered via Internet Storm Center too, they promised to inform when details available:
http://isc.sans.edu/diary.html?storyid=9130 |
Also via ComputerWorld's's Google confirms attack on YouTube:
http://www.computerworld.com/s/article/9178861/Google_confirms_attack_on_YouTube
ISC has no details posted yet, however http://blogoscoped.com/forum/172327.html#id172348 |