05/07/2010, 05:37 AM
I don't visit Youtube often, but some of you who do may have seen this? Apparently, a HTML exploit was discovered in Youtube's commenting system. By starting the comment with "<script>", one could insert arbitrary HTML onto the page (or something like that). The actual tag gets filtered properly, but everything after doesn't.
http://www.google.com/support/forum/p/yo...9910&hl=en
I think comments are hidden now - unsure if the issue is actually fixed or not.
I guess 4chin SUCK people had a bit of a field day with this.
Random comment:
http://www.google.com/support/forum/p/yo...9910&hl=en
I think comments are hidden now - unsure if the issue is actually fixed or not.
I guess 4chin SUCK people had a bit of a field day with this.
Random comment:
Quote:The evolution of this bug exploit was quite interesting to follow up close.
At first it simply prevented any further comments to be posted.
Then text was added.
Then the text was scrolling.
Suddenly, the entire page was blacked out except for the added text.
And that's when the more technical minded people realized much much more was possible.
Bam! Popups!
Infinite popups that lead to browser crashes!
Page redirects to shock sites!
The most sophisticated version I saw actually replaced the Youtube video in-place with the 1man1jar video..
And when the exploit was blocked in the comments, it had a small resurgence as video reply title, before being smacked down once more.
Glorious.