On the 4th of July 2010 YouTube users began complaining that their videos had been hijacked, the comments section of their videos seemed to be most severely affected, many complained that old comments vanished and new comments could not be added. Others reported that offensive messages were popping up on their screen or scrolling horizontally in large fonts and striking colors. Some users also seemed to suggest that there were experiencing page redirects, often to sites promoting pornographic content.
YouTube users voiced their experiences on YouTube message boards, Twitter and other social networking sites. Within minutes it was apparent that the YouTube website was under attack.
YouTube’s XSS (Cross Site Scripting) defenses had been defeated. Security-minded people began shouting warnings, asking users to stay off YouTube. Other YouTube users urged others to log out from their account, for fear of cookie hijacking, and other nasties caused by XSS attacks.
Within an hour or two the problem was fixed, YouTube servers were cleaned out, rebooted and the Internet as we know it was restored to normality.
Very few realized that what they had just witnessed was probably the single most embarrassing and largest security breach that Google has ever suffered. This flaw could, and probably will, tarnish Google’s reputation and raise new awareness to everyone. People ask; how can Google, and YouTube suffer from such a classic XSS attack as this one?
The YouTube XSS Vulnerability Explained
In this attack the Comments feature of YouTube videos was targeted. The attacker would simply paste his malicious script into the comments field that is available under videos on the YouTube website.
<script><h1><marquee><font color=”red”><u>HaHa – This text will scroll in red, on your screen</script>
In this particular attack, the keyword IF_HTML_FUNCTION? appears after the <script> tag, in the following way:
<script>IF_HTML_FUNCTION?<h1><marquee><font color=”red”><u>HaHa – This text will scroll in red, on your screen<script>
Apart from this keyword, I also noticed that the <script> tag is not properly closed. This is probably what caused other scripts on the same page to stop functioning.
During the time the YouTube was vulnerable users began creating variants of the marquee script, one of which would redirect users to Goatse, an infamous hacker web site, as can be seen below.
<script><BODY onLoad=”var a = ‘x68x74x74x70x3ax2fx2f’ + ‘x77x77x77x2e’ + ‘goatse’ + ‘x2efr’; location.href = a;”
One thing to note about this attack script is that the IF_HTML_FUNCTION? is missing, but the <script> tag is still not properly closed.
Videos emerged of other users experimenting with this newly discovered flaw. One user made a video of himself exploiting the following script, which will have the effect of making the entire page black, except for the words *TEXT HERE*:
<script><h1><marquee style=”position: absolute; top: 0px; bottom: 0px; left: 0px; z-index: 9999999; right: 0px; background-color: rgb(0, 0, 0);”><font style:=”font-size:60px” color=”red”><u style=””>*TEXT HERE*<script>
Similar to the previous two examples, the <script> tag is not properly closed, and just like the example before this one, the IF_HTML_FUNCTION keyword is missing.
By the time I go around to creating my own experiments, YouTube had already fixed the problem, they also very briefly, and without detail, admitted to the attack.
The fix was swift and effective, however it impeded me from carrying out further tests, so I was not able to determine what would happen if, for example the <script> tag was properly terminated.
Lessons Learned and Countermeasures
It is still not clear whether this attack existed for a long time but never noticed, or whether it was a recently introduced bug; hopefully YouTube will explain to us how this XSS vulnerability was made possible.
My gut feeling is that a recent software update introduced this security hole; if this is the case, it reinforces what some security experts are saying; incorporate security test in your QA process, preferably with automated tools such as vulnerability scanners. Security testing and vulnerability scanning are not exercises that are done once and then never again. They need to be re-done each time a software update is made to your web apps. In the case of YouTube, this is probably a daily exercise.
This attack is a stark reminder of how vulnerable Internet users are to XSS attacks. A classic and relatively simple attack worked against the biggest Internet giant. If Google and YouTube cannot keep their users safe, then who can?