Google (NASDAQ: GOOG) has fixed a flaw on YouTube which allowed hackers to bombard users with pop-up messages and redirect unsuspecting users to adult websites.
Malfeasants placed their carefully-crafted code into the comments section under popular videos which would run when people watched the clip. In some cases, a pop-up screen appeared reporting that Canadian pop singer Justin Bieber had died in a car accident.
Google, which owns YouTube, said that it had resolved the issue about two hours after the hole was discovered. “We took swift action to fix a cross-site scripting (XSS) vulnerability on youtube.com,” a spokesperson said. “Comments were temporarily hidden by default within an hour, and we released a complete fix for the issue in about two hours.”
Cross-site scripting (XSS) vulnerabilities are generally simple attacks that allow hackers to place code in other people’s websites. In YouTube’s case, Google failed to prevent JavaScript and HTML from being entered into comments on videos. As a result, unsavory users could place JavaScript in comments in popular videos which redirect users to other websites and triggered popups.
“The thing with a cross-site scripting attack is that it will appear that it is a message being posted by that website, which gives it a certain legitimacy”, said Graham Cluley of security firm Sophos told BBC News. “It could be used to show a message that tells you to update your password; it could link to a malicious website; or it could attempt to phish you.”
