YouTube XSS attack becomes Panic in the Sky on Twitter

You’ve probably already heard about what happened with Youtube yesterday – an XSS vulnerability allowed people to perform all manner of, er, interesting things on videopages (mostly involving Justin Bieber, but quickly spreading to random videos). It started with the ability to block fresh comments, but quickly moved into the realms of scrolling text (the red “Come to Korea”):


Click to Enlarge

…then delved into everything from Goatse redirects (if you don’t know, don’t ask – and don’t go Googling it in work, either) and text overlays to particularly nasty shock sites such as this one:


Click to Enlarge

You REALLY do not want to go searching for the above. Trust me on this.

Google patched it up relatively quickly – however, I was more interested by other aspects of the attack.

Incorrect  information filled sites such as Twitter and quickly took on a life of its own. This was on the frontpage of Twitter with over 100+ retweets shortly after the cut and paste code action took place:


Click to Enlarge

Advising people to steer clear until the problem is fixed? That’s good. Lots of people running around telling lots more people that there’s a “virus”? That’s not so good.

The “virus” talk went viral, and you can see a huge slice of people amplifying the “virus” talk here. Even hours after it’s been fixed, people continue to talk about “getting infected” by a nonexistent virus and there’s a lot of unscheduled scans now taking place:




This next chap took a swing at the “common folk”, which inevitably resulted in him having to apologise for something else afterwards:





Here’s a popup on one of the videos, courtesy of 0ph3lia:


Click to Enlarge

“Malware has been detected. Please go to my computer, C Drive, Windows and delete the folder named System32 to correct this error”.

Of course, by the time the story had appeared on various news sites something like the above (a piece of self inflicted computer destruction) had become an honest-to-goodness exploit:



That is indeed “scary stuff”, but for entirely different reasons. Despite the attack having been fixed, there’s going to be a lot of screenshots like this doing the rounds for some time.

Anyway, I just thought the Chinese Whispers style misinformation clouding the actual attack was pretty interesting.

Something else to think about: if this exploit had been discovered by a professional moneymaking outfit, there could have been all sorts of subtle attacks taking place for a long time – not good, given the apparent simplicity of the attack.

In the time it took to launch all the popups, messages involving Bieber dying horribly and porno redirects I did see some small evidence of “the usual suspects” getting in on the act.

A collection of Youtube videos were obscured by a large, black overlay – if you held down your mouse button and highlighted inside it, you’d reveal some text:


Click to Enlarge

You’ll never guess what kind of scam artist jumped on the bandwagon:


Click to Enlarge

Yes, one of those wonderful “fill in the survey to watch a film” portals that never actually seem to give you the promised reward – although in this case the reward is a Twilight movie so we’ll let them off with it this time.

Christopher Boyd