Youtube Vulnerability

View previous topic View next topic Go down

Youtube Vulnerability

Post by scryptz0 on Sun Aug 22, 2010 10:02 pm

In the past hour it appears YouTube has become the target of a manyakz attack, specifically targeting videos of pop singer Justin Bieber.

Videos relating to the star have been hit with a redirect hack with a number of different payloads. We’ve seen one redirect to an infamous, explicit “One Man One Jar” video while another covers the screen in the words “OMG Faggot”. A Twitter search confirms that the problem is widespread. Some users are reporting seeing a banner claiming that Bieber is dead.



So, what’s causing this? Coder Richard Cunningham writes on his Posterous blog that it relates to video comments.

It looks like they are deliberately using malformed HTML to get past YouTube’s checks for HTML sanitisation in the comments. The comment I’ve seen is using the long forgotten marquee tag and a javascript alert, though in principle it could be expanded to support XSS type flaws.

Comments on many videos, some not related to Bieber, have code like this on them:



YouTube appears to be deleting or blocking comments on many video pages. The attack comes on the same day as an apparent iTunes App Store hack came to light. We’ll update with more information as we get it.

====

Apart from this, InSecurityRomania shared some youtube html code injection in there site:
Code:
http://blog.insecurity.ro/youtube-html-code-injection/

Very Happy

_________________
order by
union select all
@@version
group_concat(table_name)
from information_schema.tables
group_concat(column_name)
from information_schema.columns
where table_schema=database()
(username,0x3a,password)


scryptz0

Posts : 60
Join date : 2010-08-08

Back to top Go down

View previous topic View next topic Back to top

- Similar topics

 
Permissions in this forum:
You cannot reply to topics in this forum