Came here for the Youtube logo?
Use the embed code:
Updates at foot of the post, including statement from Google.
In the past hour it appears YouTube has become the target of a hacker attack, specifically targeting videos of pop singer Justin Bieber.
Videos relating to the star have been hit with a redirect hack with a number of different payloads. We’ve seen one redirect to an infamous, explicit “One Man One Jar” video while another covers the screen in the words “OMG Faggot”. A Twitter search confirms that the problem is widespread. Some users are reporting seeing a banner claiming that Bieber is dead.
(Update: here’s a screenshot:)
So, what’s causing this? Coder Richard Cunningham writes on his Posterous blog that it relates to video comments.
“It looks like they are deliberately using malformed HTML to get past YouTube’s checks for HTML sanitisation in the comments. The comment I’ve seen is using the long forgotten marquee tag and a javascript alert, though in principle it could be expanded to support XSS type flaws.”
Comments on many videos, some not related to Bieber, have code like this on them:
YouTube appears to be deleting or blocking comments on many video pages. The attack comes on the same day as an apparent iTunes App Store hack came to light. We’ll update with more information as we get it.
UPDATE: Discussions on the notorious 4chan bulletin board site point to members of its community being to blame. We won’t link to the site (the link would be unlikely to last long if we did) so here’s a screenshot of one such message.
UPDATE 2:
Reports on 4chan say that YouTube has blocked the script that hackers were using:
UPDATE 3:
An update via Slashdot:
“Several hours ago, someone found an HTML injection vulnerability in YouTube’s comment system, and since then sites such as 4chan have had a field day with popular videos. The bug is triggered by placing a <script> tag at the beginning of a post. The tag itself is escaped, but everything following it is cheerfully placed in the page as is. Blacked out pages with giant red text scrolling across them, shock site redirects, and all sorts of other fun things have been spotted. YouTube has currently blocked such comments from being posted and set the comments section to be hidden by default, and appears to be in the process of removing some of these comments, but the underlying bug does not seem to have been fixed yet.”
UDPATE 4:
Google has sent us the following statement regarding the hack:
“We took swift action to fix a cross-site scripting (XSS) vulnerability on youtube.com that was discovered several hours ago. Comments were temporarily hidden by default within an hour, and we released a complete fix for the issue in about two hours. We’re continuing to study the vulnerability to help prevent similar issues in the future.”
i dont mind if its Justin bieber =))
That’s not even the YouTube logo. Get it right.
I can’t check any comments anymore..
Dutch: “Reacties op deze video zijn verborgen door de veiligheidsmodus.”
(Means that safetymode is on, and comments are hidden.)
Same with me
I have 2 pictures of youtube being hacked
Once i got a script code where it stand that they where sending a supersmart team of monkeys to fix the problem!
IF_HTML_FUNCTION?*EXPECT US*
As the comment hack prevented flagging of videos, many people uploaded porn to youtube under the name of “Justin Bieber”, to tempt in the young Justin bieber fans.
ill bet it is Ebaum’s world!
they always had something against youtube
ANON DOES FORGIVE NOR DOES IT FORGET
the Ebaumsworld people sure are mean :(
well ebaumsworld did that
maybe it had something to do with the whole thing about the “Metal Militia” going to hate on his baby video.
fukin ebaumsworld
*EXPECT EBAUMS *
post in comments for last measure redirect
When my kid came laughing to me about this, I was horrified as the video of a talented young boy redirected to an old gentleman spreading his anus. Furthermore, I don’t belive 4-chan was responsible for this. The page was also filled with a blackscreen with the lines “ebaums ebaums ebaums”. Looked it up on Google and there seems to be a page called Ebaumsworld, responsible for such acts.
IF_HTML_FUNCTION?<BODY onLoad="alert('U MAD, CAUSE I'M STLYIN'?');"
Fucking 4Chan Didnot do this, MetalHeads Did this, All the spam is marked -MM = Metal Milita. This was Planned dumb fucks
ebaumsworld have no regard for common decency
It was ebaums world. I was there.
ccc inci siker ccc
IF_HTML_FUNCTION?*EXPECT US*
you gaise realize that 90% of the spam is from 4chan, right? Nobody cares about ebaumsworld, thats only a small site with a bunch of kids … 4chan on the other hand … oh well … see for yourself, newfags
God damn it ebaumsworld, why would you do that :/
Ddos Ebaum!
Ebaumsworld is mean. :(
I saw a post on ebaumsworld about youtube…I am guessing they had something to do with it.
ill bet it was the idea of Ebaum’s world!
I hope this simple mindet retards will be stopped
before they hack my site with diet-tips
Ebaums world did that. They then tried to get the 4chan to go along but they declined.
GET YOUR NEWS RIGHT PLEASE
lol @ ebaums kiddies taking credit for everything after their 5% spamming
Damnit Ebaums World does it again.
fucking stupid people that do this shit
EBAUMSWORLD IS VICTORIOUS!