No announcement yet.

YouTube XSS

  • Filter
  • Time
  • Show
Clear All
new posts

  • YouTube XSS

    If you watch vloggers on YouTube you may have noticed some where getting "hacked." I was inspired to investigate, and found the problem. Haven't seen this published yet, but it's so simple it's disturbing.

    It works a lot like the youtube API, and I found it by looking at the javascript function(removevideo(video_id).)

    All you'd have to do is get the video ID's of all the users video, and create a loop in some client side scripting.

    I'll only give whole URL's to keep from breaking any forum rules, but YouTube basically has dozens of XSS vulnerabilitys.

    I hope I don't offend anyone by posting this, but I figured some of you probably use the service, and would like to know how people are getting there video's deleted. A javascript FOR loop, and a IFRAME could literally wipe an account.

    YouTube basically told me I was an idiot even though I tested it.

    ('' + video_id'

  • #2
    Re: YouTube XSS

    heh, if the music/movie studios get ahold of this then they may try to delete the entire site!
    --- The fuck? Have you ever BEEN to Defcon?


    • #3
      Re: YouTube XSS

      that is scary how simple it is o.0
      I wouldn't be surprised if someone wrote a crawler to get all the movie links and deleted everything o.0