Attackers on Sunday exploited a cross-site scripting (XSS) vulnerability in YouTube's comment system to embed HTML code on a portion of the social networking site's pages that caused pop-up messages and redirected users to pornographic websites, according to reports and security experts.
Those behind the attack primarily targeted videos of Canadian pop star Justin Bieber and posted messages stating that the 16-year-old singer died in a car crash. Pages unrelated to Bieber were also affected.
One pop-up on a Bieber video read, “BREAKING NEWS: Justin bieber died in a horrific car accident earlier this morning, please visit the CNN homepage for more info.”
Google temporarily hid comments by default within an hour of the attack and fixed the issue in about two hours, Jay Nancarrow, a spokesman at Google, YouTube's parent company, said in a statement.
“We're continuing to study the vulnerability to help prevent similar issues in the future," Nancarrow said.
The attack, while annoying, did not place users' machines at risk, according to reports. However, XSS vulnerabilities could be exploited to steal cookies or embed JavaScript that would execute in a user's browser, Bojan Zdrnja, a SANS Internet Storm Center handler, wrote in a blog post Sunday.
In the past, XSS vulnerabilities have been exploited to display fake login forms used to trick victims into handing over their credentials, Zdrnja said.
“Clearly YouTube is a big target, as it has so many millions of visitors every day, and you would hope that their web team will investigate what went wrong with their processes, and explore if they are reviewing code properly before it is made live to ensure that loopholes aren't left in their code in future,” Graham Cluley, senior technology consultant at anti-virus firm Sophos, wrote in a blog post Monday.
Meanwhile, an unknown number of iTunes accounts were hacked over the holiday weekend by a rogue developer seeking to improve the ranking of their own applications, according to reports. The hacked accounts were used to purchase the developer's Vietnamese language ebooks, which at one point during the attack made up 40 of the top 50 iTunes books.
It is unclear exactly how the hacker gained access to the accounts — a phishing scam is possible — but their account has been suspended, and all the affected ebooks have been removed from the app store.
An Apple spokesperson did not respond to a request for comment made by SCMagazineUS.com on Tuesday.
