The YouTube XSS Vulnerability Explained
In this attack the Comments feature of YouTube videos was targeted. The attacker would simply paste his malicious script into the comments field that is available under videos on the YouTube website.
In it’s simple form, the user would put in a comment such as this one:
<script><h1><marquee><font color=”red”><u>HaHa – This text will scroll in red, on your screen</script>
In this particular attack, the keyword IF_HTML_FUNCTION? appears after the <script> tag, in the following way:
<script>IF_HTML_FUNCTION?<h1><marquee><font color=”red”><u>HaHa – This text will scroll in red, on your screen<script>
Apart from this keyword, I also noticed that the <script> tag is not properly closed. This is probably what caused other scripts on the same page to stop functioning.
During the time the YouTube was vulnerable users began creating variants of the marquee script, one of which would redirect users to Goatse, an infamous hacker web site, as can be seen below.
<script><BODY onLoad=”var a = ‘\x68\x74\x74\x70\x3a\x2f\x2f’ + ‘\x77\x77\x77\x2e’ + ‘goatse’ + ‘\x2efr’; location.href = a;”
One thing to note about this attack script is that the IF_HTML_FUNCTION? is missing, but the <script> tag is still not properly closed.
Videos emerged of other users experimenting with this newly discovered flaw. One user made a video of himself exploiting the following script, which will have the effect of making the entire page black, except for the words *TEXT HERE*:
<script><h1><marquee style=”position: absolute; top: 0px; bottom: 0px; left: 0px; z-index: 9999999; right: 0px; background-color: rgb(0, 0, 0);”><font style:=”font-size:60px” color=”red”><u style=”">*TEXT HERE*<script>
Similar to the previous two examples, the <script> tag is not properly closed, and just like the example before this one, the IF_HTML_FUNCTION keyword is missing.
By the time I go around to creating my own experiments, YouTube had already fixed the problem, they also very briefly, and without detailed, admitted to the attack (Google acknowledges YouTube hack.)
The fix was swift and effective, however it impeded me from carrying out further tests, so I was not able to determine what would happen if, for example the <script> tag was properly terminated.
Lessons Learned and Countermeasures
It is still not clear whether this attack existed for a long time but never noticed, or whether it was a recently introduced bug; hopefully YouTube will explain to us how this XSS vulnerability was made possible.
My gut feeling is that a recent software update introduced this security hole; if this is the case, it reinforces what some security experts are saying; incorporate security test in your QA process, preferably with automated tools such as vulnerability scanners. Security testing and vulnerability scanning are not exercises that are done once and then never again. They need to be re-done each time a software update is made to your web apps. In the case of YouTube, this is probably a daily exercise.
This attack is a stark reminder of how vulnerable Internet users are to XSS attacks. A classic and relatively simple attack worked against the biggest Internet giant. If Google and YouTube cannot keep their users safe, then who can?