YouTube, iTunes hit in holiday attacks

Share this article:
Cybercriminals were out in full force over the Independence Day weekend, launching attacks on some of the world's most popular online destinations: YouTube and iTunes.

Attackers on Sunday exploited a cross-site scripting (XSS) vulnerability in YouTube's comment system to embed HTML code on a portion of the social networking site's pages that caused pop-up messages and redirected users to pornographic websites, according to reports and security experts.

Those behind the attack primarily targeted videos of Canadian pop star Justin Bieber and posted messages stating that the 16-year-old singer died in a car crash. Pages unrelated to Bieber were also affected.  

One pop-up on a Bieber video read, “BREAKING NEWS: Justin bieber died in a horrific car accident earlier this morning, please visit the CNN homepage for more info.”

Google temporarily hid comments by default within an hour of the attack and fixed the issue in about two hours, Jay Nancarrow, a spokesman at Google, YouTube's parent company, said in a statement.

“We're continuing to study the vulnerability to help prevent similar issues in the future," Nancarrow said.

The attack, while annoying, did not place users' machines at risk, according to reports. However, XSS vulnerabilities could be exploited to steal cookies or embed JavaScript that would execute in a user's browser, Bojan Zdrnja, a SANS Internet Storm Center handler, wrote in a blog post Sunday.

In the past, XSS vulnerabilities have been exploited to display fake login forms used to trick victims into handing over their credentials, Zdrnja said.

“Clearly YouTube is a big target, as it has so many millions of visitors every day, and you would hope that their web team will investigate what went wrong with their processes, and explore if they are reviewing code properly before it is made live to ensure that loopholes aren't left in their code in future,” Graham Cluley, senior technology consultant at anti-virus firm Sophos, wrote in a blog post Monday.

Meanwhile, an unknown number of iTunes accounts were hacked over the holiday weekend by a rogue developer seeking to improve the ranking of their own applications, according to reports. The hacked accounts were used to purchase the developer's Vietnamese language ebooks, which at one point during the attack made up 40 of the top 50 iTunes books.

It is unclear exactly how the hacker gained access to the accounts — a phishing scam is possible — but their account has been suspended, and all the affected ebooks have been removed from the app store.

An Apple spokesperson did not respond to a request for comment made by SCMagazineUS.com on Tuesday.

Share this article:
You must be a registered member of SC Magazine to post a comment.

Sign up to our newsletters

TOP COMMENTS

More in News

Hackers grab email addresses of CurrentC pilot participants

Hackers grab email addresses of CurrentC pilot participants

Although the hack didn't breach the mobile payment app itself, consumer confidence may be shaken.

Operators disable firewall features to increase network performance, survey finds

Operators disable firewall features to increase network performance, ...

McAfee found that 60 percent of 504 surveyed IT professionals prioritize security as the primary driver of network design.

PCI publishes guidance on security awareness programs

PCI publishes guidance on security awareness programs

The guidance, developed by a PCI Special Interest Group, will help merchants educate staff on protecting cardholder data.