YouTube Hacked

elapsed · Jul 5, 2010

In the past hour it appears YouTube has become the target of a hacker attack, specifically targeting videos of pop singer Justin Bieber.

Videos relating to the star have been hit with a redirect hack with a number of different payloads. We’ve seen one redirect to an infamous, explicit “One Man One Jar” video while another covers the screen in the words “OMG <bad word>”. A Twitter search confirms that the problem is widespread. Some users are reporting seeing a banner claiming that Bieber is dead.
Click to expand...

http://thenextweb.com/socialmedia/2010/07/04/youtube-hacked-justin-bieber-videos-targeted/

dw426 · Jul 5, 2010

Eh, this attack was coming, but they shouldn't have infected the vids with malicious payloads, that wasn't cool. Otherwise it would have been hilarious. It would have been a great time to pick the most godawful music video ever made and redirect to it, perhaps another Rick Roll. *sigh*

RCGuy · Jul 5, 2010

It must be working now. I just watched the Bieber kid, Janet Jackon, and JLO.

elapsed · Jul 5, 2010

RCGuy said:

It must be working now. I just watched the Bieber kid, Janet Jackon, and JLO.
Click to expand...

It was patched very quickly, but it just goes to show how bad guys could easily target the big guys for serving malware. Don't trust any website.

Rmus · Jul 5, 2010

dw426 said:

Eh, this attack was coming, but they shouldn't have infected the vids with malicious payloads, that wasn't cool.
Click to expand...

Are you sure that's what happened? Other sources report that malware was encountered on redirected sites, not in infected videos:

Report: Google issues fix for hacked YouTube
http://news.cnet.com/8301-1023_3-20009660-93.html

Google has plugged a hole hackers used Sunday morning to festoon YouTube videos with off-color pop-ups and adult-site redirects, according to a news outlet.

The hackers apparently had it in for Justin Bieber, focusing on clips related to the teen pop star,

IDG also quoted a source who said that though the hack itself didn't involve malware, any landing pages to which visitors were redirected could have.
Click to expand...

See here for an analysis of the hack:

Stored XSS vulnerability on YouTube actively abused?
http://isc.sans.edu/diary.html?date=2010-07-04

----
rich

Rmus · Jul 5, 2010

OK, I found a link that is still active - the user would have been redirected here from YouTube.
There is an exploit kit on the site, and IE6 pulled up this:

----
rich

dw426 · Jul 6, 2010

Rmus said:

Are you sure that's what happened? Other sources report that malware was encountered on redirected sites, not in infected videos:

Report: Google issues fix for hacked YouTube
http://news.cnet.com/8301-1023_3-20009660-93.html
See here for an analysis of the hack:

Stored XSS vulnerability on YouTube actively abused?
http://isc.sans.edu/diary.html?date=2010-07-04

----
rich
Click to expand...

I read the story wrong, actually, Rmus. I certainly didn't have first hand knowledge of the redirects or anything, I just knew something was going to happen to the kids' videos (Justins). Not that it was exactly a secret considering for the last month even Youtube should have known about it. MM had made it perfectly clear in the user comments of practically every popular music genres' videos that something was going to go down, not to mention the various "bad" forums.

As I had said earlier, if malware hadn't been involved, I would have supported it fully (think what you please of me, I hate the way the music industry is right now). But, when you start infecting innocent people who, for whatever reason there could possibly be, enjoy that useless trash record companies label "music", you'll get no support from me.

Rmus · Jul 6, 2010

Someone asked what a "stored" XSS vulnerability is -- the term was used in the sans.edu Diary I cited:

Stored XSS vulnerability on YouTube actively abused?
http://isc.sans.edu/diary.html?date=2010-07-04

From Wikipedia:

Cross-site scripting
http://en.wikipedia.org/wiki/Cross-site_scripting#Persistent

The persistent (or stored) XSS vulnerability is a more devastating variant of a cross-site scripting flaw: it occurs when the data provided by the attacker is saved by the server, and then permanently displayed on "normal" pages returned to other users in the course of regular browsing, without proper HTML escaping. A classic example of this is with online message boards where users are allowed to post HTML formatted messages for other users to read.
Click to expand...

In the Diary, Bojan referred to "comment spam" which is what the attackers used to inject their HTML code.

One can imagine attackers poring over each line of code in the various applications used by web sites, looking for a vulnerability -- here, the application is "backend comment application." From the Diary:

The backend comment application used by YouTube incorrectly encoded output data – only the first entered tag was correctly encoded, so by supplying the comment with two <script><script> tags, the browser would get back the following: &ltscript&gt<script>. We can see here that the first tag is properly encoded and will be displayed by the browser as it is supposed to, but the second tag actually starts script code.

This incident shows how important it is to properly check every single point of your application that receives data from users, or displays it back to them. Besides correctly encoding data that is sent back to the browser, the script could have been fixed by also properly encoding data immediately after receiving it from the user.
Click to expand...

----
rich

Log in or Sign up

YouTube Hacked

elapsed Registered Member

dw426 Registered Member

RCGuy Registered Member

elapsed Registered Member

Rmus Exploit Analyst

Rmus Exploit Analyst

dw426 Registered Member

Rmus Exploit Analyst

Log in or Sign up

YouTube Hacked

elapsed Registered Member

dw426 Registered Member

RCGuy Registered Member

elapsed Registered Member

Rmus Exploit Analyst

Rmus Exploit Analyst

dw426 Registered Member

Rmus Exploit Analyst

Useful Searches