youtube logo 300x173 YouTube Hacked, Justin Bieber Videos Targeted.
Came here for the Youtube logo?
Use the embed code:

Updates at foot of the post, including statement from Google.

In the past hour it appears YouTube has become the target of a hacker attack, specifically targeting videos of pop singer Justin Bieber.

Videos relating to the star have been hit with a redirect hack with a number of different payloads. We’ve seen one redirect to an infamous, explicit “One Man One Jar” video while another covers the screen in the words “OMG Faggot”. A Twitter search confirms that the problem is widespread. Some users are reporting seeing a banner claiming that Bieber is dead.

(Update: here’s a screenshot:)

1278252382616 e1278253296870 YouTube Hacked, Justin Bieber Videos Targeted.

So, what’s causing this? Coder Richard Cunningham writes on his Posterous blog that it relates to video comments.

“It looks like they are deliberately using malformed HTML to get past YouTube’s checks for HTML sanitisation in the comments. The comment I’ve seen is using the long forgotten marquee tag and a javascript alert, though in principle it could be expanded to support XSS type flaws.”

Comments on many videos, some not related to Bieber, have code like this on them:

Screen shot 2010 07 04 at 14.58.45 YouTube Hacked, Justin Bieber Videos Targeted.

YouTube appears to be deleting or blocking comments on many video pages. The attack comes on the same day as an apparent iTunes App Store hack came to light. We’ll update with more information as we get it.

UPDATE: Discussions on the notorious 4chan bulletin board site point to members of its community being to blame. We won’t link to the site (the link would be unlikely to last long if we did) so here’s a screenshot of one such message.

Screen shot 2010 07 04 at 15.16.32 YouTube Hacked, Justin Bieber Videos Targeted.

UPDATE 2:

Reports on 4chan say that YouTube has blocked the script that hackers were using:

4chan1 e1278253557939 YouTube Hacked, Justin Bieber Videos Targeted.

UPDATE 3:

An update via Slashdot:

Several hours ago, someone found an HTML injection vulnerability in YouTube’s comment system, and since then sites such as 4chan have had a field day with popular videos. The bug is triggered by placing a