Heh... Youtube got owned...

[WhoIsYou]

4chan had a field day, an XSS flaw was found, allowing anyone to inject unsanitized html/javascript into youtube comments.

Here's a thread on the google support site that someone made about it:
http://www.google.com/support/forum/...2a699910&hl=en

Here's a comment from another site giving some details on how it was done and such.

It has nothing to do with

IF_HTML_FUNCTION

Tested on my own video here: http://www.youtube.com/watch?v=ujr1JSYe4UU

All you need is:

<script><script>PAYLOAD

Any HTML after the second non-closed script tag survives unescaped. /b/ is having a field day, because it's easy copypasta page breaking.

YouTube escapes the first script tag and not the second.

Edit: okay here it is:

<script><unescaped_html_here><do_what_ever_you_wan t><body onload="alert('is quite popular');"> <h1>Big header? Nope!</h1>

results in this being put in the page.

&lt;script&gt;<unescaped_html_here><do_what_ever_y ou_want><body onload="alert('is quite popular');"> &gt;h1&lt;Big header? Nope!&gt;/h1&lt;

Remember to close the div of the comment box if you want the page to stay semi-functional.

Anyway, yeah, this technically means that your account could have beeen 'hacked' (session hijacked) if you watched any vids or viewed anyone's page today while logged in (anywhere with comments).

Kinda sad that this flaw even existed tbh D:
Here's an article about it: http://thenextweb.com/socialmedia/20.../#comment-9023
Seems they targeted justin bieber vids and shit, fucking lulz.

[Blaze_Fire]

Guy on the google support link said it was ebaumsworld.. either way, still funny.

[WhoIsYou]

Guy on the google support link said it was ebaumsworld.. either way, still funny.

-_- Everything is ALWAYS blamed on ebaums...