Details at:
http://facepunch.com/showthread.php?t=964337
Summary:
Allows malicious users to insert HTML and JavaScript into a YouTube video page.
How it's done:
Insert "<script>IF_HTML_FUNCTION<wbr>?<body onLoad="while(true)alert('XSS')"><script>" as a comment would cause pop-ups to come up indefinitely. There are new exploits being designed to steal cookies and redirect users to other sites.
Recommendation:
Do not visit YouTube while logged in to your Google account until this is fixed.
UPDATE:
YouTube has implemented "Safety Mode" which basically hide comments on page load along with a "Show hidden comments" link. Avoid viewing the comments for now.
I've been following this closely, as well as the 4chan /b/ thread.
Looks like Google pulled the plug.
Edit: They went down for 5 mins, probably due to the massive amount of /b/tards.
Originally posted by Raraken:I've been following this closely, as well as the 4chan /b/ thread.
Looks like Google pulled the plug.
Edit: They went down for 5 mins, probably due to the massive amount of /b/tards.
Seems like they have cleared up the mess already. Given that it's a public holiday for them today (Independence Day), I would say the response is pretty fast, but not fast enough. I mean, it has given enough time for some to develop exploits that wipe system32 directories off IE and Opera users (assuming the exploit on /b/ is working). As those on FacePunch has mentioned, they could simply shut down the server or disable the comments system entirely first and take their own time to fix it instead. But of course, it's Google - they probably had some red tape to clear before they could implement the necessary changes to the system.