Login or Sign Up
- Logging in...
  
  By logging into your account, you agree to our Privacy Policy, personal data processing and storage practices as described therein.
  
  Remember me
  
  Forgot password or user name?
  
  or Sign Up
- Log in with

Search in titles only Search in (old) Community Talk only

Advanced Search

forums
blogs
articles
albums
dcgroups
defcon.org
media.defcon
infocon.org
reddit
store

Forum
Conference Archives
Past DEF CON Forum Content
(old) Community Talk

Guests can browse, to post please join the forums

Announcement

Collapse

No announcement yet.

YouTube XSS

Collapse

X

Collapse

Posts
Latest Activity
Photos

Page of 1
Filter

Time

All Time Today Last Week Last Month
Show

All Discussions only Photos only Videos only Links only Polls only Events only

Filtered by:

new posts

Previous template Next

VAX_to_PBX

Banned

Join Date: Nov 2004
Posts: 91

Share
Tweet

#1

YouTube XSS

November 27, 2006, 17:55

If you watch vloggers on YouTube you may have noticed some where getting "hacked." I was inspired to investigate, and found the problem. Haven't seen this published yet, but it's so simple it's disturbing.

It works a lot like the youtube API, and I found it by looking at the javascript function(removevideo(video_id).)

All you'd have to do is get the video ID's of all the users video, and create a loop in some client side scripting.

I'll only give whole URL's to keep from breaking any forum rules, but YouTube basically has dozens of XSS vulnerabilitys.

I hope I don't offend anyone by posting this, but I figured some of you probably use the service, and would like to know how people are getting there video's deleted. A javascript FOR loop, and a IFRAME could literally wipe an account.

YouTube basically told me I was an idiot even though I tested it.

Code:

('http://youtube.com//my_videos?action_removevideo=1&video_id=' + video_id'
http://www.youtube.com/watch?v=GtQAA8KijgA
http://www.youtube.com/watch?v=9kB2K8QigEo
http://www.youtube.com/watch?v=_YpqG9kggKg
http://www.youtube.com/watch?v=O1av759BjTQ
http://www.youtube.com/watch?v=ZGNYzdCWqTY
http://www.youtube.com/watch?v=53vD5qHY5BU
http://www.youtube.com/watch?v=etJXrbUo-wo
http://www.youtube.com/watch?v=jcL5ag-Dh3M
http://www.youtube.com/watch?v=RDc6dNer--g
http://www.youtube.com/watch?v=rY51VogMOiE
http://www.youtube.com/watch?v=6YyasAj0J1s
http://www.youtube.com/watch?v=9i7oEfVi2ZY
http://www.youtube.com/watch?v=rxbq22ybWhU
http://www.youtube.com/watch?v=rxbq22ybWhU
http://www.youtube.com/watch?v=KJwQzeL-ua4
http://www.youtube.com/watch?v=-7H9u_n331Y
http://www.youtube.com/watch?v=pXE79tf39A4
http://www.youtube.com/watch?v=fIK7Gdg7YNQ
http://www.youtube.com/watch?v=7u6UaIPfLC0
http://www.youtube.com/watch?v=E60MdnW1eNo
http://www.youtube.com/watch?v=ziUawb0WSVg
http://www.youtube.com/watch?v=Ob1e4lVc8jA
http://www.youtube.com/watch?v=a-1EEbLwVd4
http://www.youtube.com/watch?v=S9qKV7kTtvg

Tags: None

kallahar

Goon Like Object

Join Date: Jan 2003

Posts: 571
- Share
- Tweet
#2

November 28, 2006, 08:30

Re: YouTube XSS

heh, if the music/movie studios get ahold of this then they may try to delete the entire site!

--- The fuck? Have you ever BEEN to Defcon?
Comment
TaGmAn

Member

Join Date: Oct 2006

Posts: 7
- Share
- Tweet
#3

December 9, 2006, 16:46

Re: YouTube XSS

that is scary how simple it is o.0
I wouldn't be surprised if someone wrote a crawler to get all the movie links and deleted everything o.0
Comment

Previous template Next

Dark-Blue
English (US)

Help
Contact Forum Account Support
DMCA
DEF CON Policies
Go to top

(r) DEF CON Communications, Inc.

All times are GMT-8. This page was generated at 1 minute ago.

Working...

X