Hackers Target YouTube With XXX XSS Attacks
Hackers apparently used cross-site scripting attacks to prank YouTube users over the weekend, injecting pop-ups and redirecting viewers to pornographic websites. Google says it's identified and fixed the vulnerability. "Preventing XSS attacks requires a lot of code review and, generally, outside consultants to help," explained ESET's Randy Abrams.
Jul 6, 2010 12:18 PM PT
Hackers hit YouTube over the weekend, injecting pop-ups, disabling comments and redirecting viewers to porn sites when they tried to access videos.
Google clamped down on the problem swiftly and is attempting to figure out who was behind the attack.
The hack followed the online publication of a YouTube HTML code injection exploit.
The hackers used a cross-site scripting (XSS) attack on YouTube. This is a technique that injects code into a user's browser instance.
In YouTube's case, the attackers used HTML script on users' comments pages.
The YouTube filter will take out the first script tag but not the second.
Some viewers who logged on to watch videos on YouTube were reportedly redirected to sites featuring adult entertainment as well as various shock sites around the Web.
No Muss, Just Fuss
News of the hack spread rapidly online, with some people speculating that YouTube had been hit by some sort of virus. However, the attack's threat was limited, Google spokesperson Jay Nancarrow told TechNewsWorld.
"This vulnerability allowed attackers to insert their own HTML code into certain YouTube pages," Nancarrow explained. "It could not have been used to access any Google accounts or other properties."
The attack was "more of an annoyance than a threat," Nancarrow said.
Google temporarily hid comments by default within one hour of learning about the hack and released a complete fix for the problem within two hours, Nancarrow said. It's continuing to study the vulnerability to help prevent similar issues in the future.
Nancarrow declined to comment on reports that videos of teen singer Justin Bieber were the most heavily hacked.
Some reports claim the hackers were users of the 4Chan Internet subculture and activism website.
However, Nancarrow refused to speculate about the identity of the hackers.
"Google is fully investigating the issue," Nancarrow remarked.
The attack followed the posting of information about the HTML vulnerability in YouTube by "TinKode" on a Romanian blog July 3.
The writer gave examples of how to activate HTML in comments, how to launch popups, and how to redirect YouTube viewers to other sites.
"TinKode" also posted proof of the HTML injection exploit detailed in the blogpost.
Posting the exploit on the Internet was not a wise move, Randy Abrams, director of technical education at ESET, told TechNewsWorld.
"TinKode needs a skilled mentor because he is not at all good at responsible disclosure," Abrams remarked. Generally, responsible disclosure involves privately informing the site in question about the vulnerability, then giving it adequate time to fix the problem before publicizing it.
Fending Off XSS Attacks
Although Google shut down the attack on YouTube, it may still be vulnerable to XSS attacks, as are other websites, ESET's Abrams warned.
"Preventing XSS attacks requires a lot of code review and, generally, outside consultants to help," Abrams explained. "Even then, it's not guaranteed that all potential attacks have been identified."
That's because XSS attacks come in many forms.
There are three basic types of XSS attacks: Non-persistent, persistent and DOM-based. DOM, the Document Object Model, is a cross-platform and language-independent convention for representing and interacting with objects in HTML, XHTML and XML documents.
In non-persistent attacks and DOM attacks, victims have to either visit a link seeded with malicious code or visit a malicious Web page containing a form that will unleash the attack. Such Web forms can be submitted automatically without the victim's knowledge.
In persistent attacks, the attacker stores malicious code on a website for some time. Victims don't have to do anything to trigger an attack; they just have to view the page containing the code.
"If we knew of all the ways these attacks can be carried, the top sites would prevent all of them," Abrams said. "However, there are probably more undiscovered or undisclosed tricks out there. Additionally, the implementation of new technologies or even new versions of current software will undoubtedly produce new opportunities for all kinds of exploitation."