YouTube has code injection bug in their comments system

By Tim Quax on 05 july 2010

A bug in processing user input from YouTube's comment system enables code injection on all video pages. The early adopters could make their comments invisible, or worst yet, lead unsuspecting visitors to a malware site.

The fact that it took until now for the comment system bug to appear is remarkable. It's cause is not sanitizing user input properly; a second script tag can be generated from within the comment, which is the main ingredient for a nice code injection pasta. The number of video's that have this bug exploited is growing significantly.

With the significant growth of this exploit and YouTube's failure to track and fix the problem the comment system was temporarily disabled. By now the comment system if considered fixed and is enabled once again.

I say epic fail; i find this funny as well as pretty sad. Even the smallest sites are carefully sanitizing their user input. How a huge website like YouTube can make this mistake is beyond me.

React on this article

Enter the code here: