YouTube vuln pwns Justin Bieber fans
Shock site redirect in XSS chaos
Hackers and pranksters began exploiting a newly discovered scripting flaw on YouTube on Sunday, provoking rumours that a virus was spreading on the site.
Predictable enough, pranksters at 4Chan have begun using the vulnerability to redirect surfers looking for Justin Bieber video clips to goatse or false reports that the irksomely clean-cut Canadian singer had died in a car crash. Denizens of 4Chan are separately trying to rig an online poll to encourage Beiber to play North Korea in an upcoming tour.
In other cases the flaw has become the fodder of comment spam.
Google iced the problem hours after it first appeared, techie-buzz.com reports.
"We took swift action to fix a cross-site scripting (XSS) vulnerability on youtube.com that was discovered several hours ago," said Google. "Comments were temporarily hidden by default within an hour, and we released a complete fix for the issue in about two hours. We’re continuing to study the vulnerability to help prevent similar issues in the future."
The appearance of the vulnerability sparked rumours on Twitter and elsewhere that a virus was spreading across YouTube. A blog post by Chris Boyd of Sunbelt - containing screenshots - charts the genesis of this rumour, which is just the sort of thing that's likely be used in new anti-virus (scareware) scams.
Security watchers at the Internet Storm Centre note that the vulnerability on YouTube might potentially have been used for all manner of hacking attacks, including password stealing scams.