Justin Bieber fans under fire in YouTube XSS attack

Filed Under: Celebrities, Social networks, Vulnerability

YouTube hole
If there are any breathless fans of Justin Bieber reading this - let me calm you straight away: Justin Bieber has not died in a car crash.

But you may have imagined that he did if you checked out some of his YouTube videos this long US Independence Day holiday weekend, or read one of the many internet rumours that spread over the last day or so.

A vulnerability in YouTube's comment system was exploited widely this weekend, allowing mischief-makers to embed code through a cross-site scripting (XSS) flaw. And one of the things they did was post messages claiming that the teen pop sensation had died in a car crash.

Normally YouTube is smart enough to weed out offending code left in the comments left for videos, but it appears that the hackers found a way to waltz past the site's defences.

Those watching YouTube videos of Justin Bieber and others could find their eyeballs assaulted by other prankish pop-ups and offensive messages or redirected to tasteless websites.

YouTube hacked

It took about two hours before Google, YouTube's parent company, got things under control.

XSS attacks are a serious problem, of course. Potentially they can fool unsuspecting users into handing over their login details (although this doesn't appear to have happened on this occasion) or direct them to a malicious webpage.

The Daily Telegraph quotes a Google spokesperson as saying:

"We took swift action to fix a cross-site scripting (XSS) vulnerability on youtube.com that was discovered several hours ago. Comments were temporarily hidden by default within an hour, and we released a complete fix for the issue in about two hours. We're continuing to study the vulnerability to help prevent similar issues in the future."

Clearly YouTube is a big target, as it has so many millions of visitors every day, and you would hope that their web team will investigate what went wrong with their processes, and explore if they are reviewing code properly before it is made live to ensure that loopholes aren't left in their code in future.

* Image source: Richard Cunningham.

, ,

You might like

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

About the author

Graham Cluley runs his own award-winning computer security blog, and is a veteran of the anti-virus industry having worked for a number of security companies since the early 1990s. Now an independent security analyst, he regularly makes media appearances and gives computer security presentations. Send Graham an email, subscribe to his updates on Facebook, follow him on Twitter and App.net, and circle him on Google Plus for regular updates.