YouTube persistent XSS vulnerability

Written by DP

Monday, 5 July 2010

YouTube XSS

Researchers from a Romanian security team (InSecurityRomania) have revealed a critical persistent cross-site scripting (XSS) vulnerability which affects YouTube's comment field.

Now the issue appears to be corrected (Google's Official Statement) but it is possible that malicious users have already exploited it to redirect unwitting YouTube users watching videos to drive-by download pages in order to infect them with malware, adware and spyware. Blackhat internet marketers may have already exploited it on the most viewed YouTube videos to drive significant traffic to their websites.

TinKode has blogged more about it on 3rd of July, saying that you can activate HTML in comments with:

<script>HTML Code

He also provided further examples of what it could be done:

HTML Code Injection

<script><h1> Visit Insecurity.Ro – ISR Security Team <blink><marquee><br><br>TinKode

Popup JavaScript Alert Box:

<script><BODY onLoad=”alert(‘Visit – TinKode’);”


<script>Zbody onLoad=”document.write(‘<script>window.location = String.fromCharCode(104, 116, 116, 112, 58, 47, 47, 119, 119, 119, 46, 105, 110, 115, 101, 99, 117, 114, 105, 116, 121, 46, 114, 111, 47);</script>’);”;


The team have also prepared the following videos demonstrating the vulnerability:


Youtube HTML Code Injection - InSecurity.RO from TinKode on Vimeo.

Youtube Defaced and Redirected from TinKode on Vimeo.

Follow related discusions on YouTube's official support forum:

YouTube has been XSSed multiple times in the past.



"Youtube HTML Code Injection" - 3 July 2010 - TinKode - InSecurityRomania (ISR)
"YouTube XSS Vulnerability Fixed [Official Statement]" - 4 July 2010 - Pallab De -

Related News:

"Stored XSS vulnerability on YouTube actively abused?" - 4 July 2010 - Bojan Zdrnja - SANS Internet Storm Center
"Dangerous XSS Bug Found on YouTube" - 5 July 2010 - Lucian Constantin - SoftPedia (Only this news article credits TinKode)
"YouTube vuln pwns Justin Bieber fans" - 5 July 2010 - John Leyden - The Register
"Dangerous XSS vulnerability found on YouTube – the vulnerability explained" - 6 July 2010 - Jeremy Pullicino - Acunetix

Related News on XSSed:

"YouTube XSS celebrates one month of age" - 6 December 2007 - DP

Home | News | Articles | Advisories | Submit | Alerts | Links | What is XSS | About | Contact | Some Rights Reserved.