Dangerous XSS vulnerability found on YouTube – the vulnerability explained

On the 4th of July 2010 YouTube users began complaining that their videos had been hijacked, the comments section of their videos seemed to be most severely affected, many complained that old comments vanished and new comments could not be added. Others reported that offensive messages were popping up on their screen or scrolling horizontally in large fonts and striking colors. Some users also seemed to suggest that there were experiencing page redirects, often to sites promoting pornographic content.

YouTube users voiced their experiences on YouTube message boards, Twitter and other social networking sites. Within minutes it was apparent that the YouTube website was under attack.

YouTube’s XSS (Cross Site Scripting) defenses had been defeated. Security-minded people began shouting warnings, asking users to stay off YouTube. Other YouTube users urged others  to log out from their account, for fear of cookie hijacking, and other nasties caused by XSS attacks.

Above: Some users reported this screen when browsing the YouTube site during the attack.
Within an hour or two the problem was fixed, YouTube servers (continue reading...)