WhoIsYou
07-04-2010, 10:59 AM
4chan had a field day, an XSS flaw was found, allowing anyone to inject unsanitized html/javascript into youtube comments.
Here's a thread on the google support site that someone made about it:
http://www.google.com/support/forum/p/youtube/thread?tid=2059b45a2a699910&hl=en
Here's a comment from another site giving some details on how it was done and such.
It has nothing to do with
IF_HTML_FUNCTION
Tested on my own video here: http://www.youtube.com/watch?v=ujr1JSYe4UU
All you need is:
<script><script>PAYLOAD
Any HTML after the second non-closed script tag survives unescaped. /b/ is having a field day, because it's easy copypasta page breaking.
YouTube escapes the first script tag and not the second.
Edit: okay here it is:
<script><unescaped_html_here><do_what_ever_you_want><body onload="alert('is quite popular');"> <h1>Big header? Nope!</h1>
results in this being put in the page.
<script><unescaped_html_here><do_what_ever_you_want><body onload="alert('is quite popular');"> >h1<Big header? Nope!>/h1<
Remember to close the div of the comment box if you want the page to stay semi-functional.
Anyway, yeah, this technically means that your account could have beeen 'hacked' (session hijacked) if you watched any vids or viewed anyone's page today while logged in (anywhere with comments).
Kinda sad that this flaw even existed tbh D:
Here's an article about it: http://thenextweb.com/socialmedia/2010/07/04/youtube-hacked-justin-bieber-videos-targeted/comment-page-1/#comment-9023
Seems they targeted justin bieber vids and shit, fucking lulz.
Here's a thread on the google support site that someone made about it:
http://www.google.com/support/forum/p/youtube/thread?tid=2059b45a2a699910&hl=en
Here's a comment from another site giving some details on how it was done and such.
It has nothing to do with
IF_HTML_FUNCTION
Tested on my own video here: http://www.youtube.com/watch?v=ujr1JSYe4UU
All you need is:
<script><script>PAYLOAD
Any HTML after the second non-closed script tag survives unescaped. /b/ is having a field day, because it's easy copypasta page breaking.
YouTube escapes the first script tag and not the second.
Edit: okay here it is:
<script><unescaped_html_here><do_what_ever_you_want><body onload="alert('is quite popular');"> <h1>Big header? Nope!</h1>
results in this being put in the page.
<script><unescaped_html_here><do_what_ever_you_want><body onload="alert('is quite popular');"> >h1<Big header? Nope!>/h1<
Remember to close the div of the comment box if you want the page to stay semi-functional.
Anyway, yeah, this technically means that your account could have beeen 'hacked' (session hijacked) if you watched any vids or viewed anyone's page today while logged in (anywhere with comments).
Kinda sad that this flaw even existed tbh D:
Here's an article about it: http://thenextweb.com/socialmedia/2010/07/04/youtube-hacked-justin-bieber-videos-targeted/comment-page-1/#comment-9023
Seems they targeted justin bieber vids and shit, fucking lulz.