YouTube Hacked

It looks like someone calling themselves "SPONGE" (among others) on this page has hacked the comments on YouTube.

It looks like they are deliberately using malformed HTML to get past YouTube's checks for HTML sanitisation in the comments. The comment I've seen is using the long forgotten marquee tag and a javascript alert, though in principle it could be expanded to support XSS type flaws.

It looks like YouTube are dealing with this currently by deleting comments, presumably until the can fix their code.

I'd suggest staying away from YouTube until they have this fixed or at least logging out of YouTube if you use it.

Update: A Reddit user is saying that exploit is trigged by using two <script> tags and that 4chan users are exploiting it.

22015 views and 0 responses