Hackers exploited a cross-site scripting vulnerability on video sharing site YouTube during the holiday weekend, targeting fans of singer Justin Bieber.
Using the vulnerability, the attackers were able to insert HTML code into YouTube pages devoted to Bieber and greet fans with redirects to adult content as well as a numerous pop-up messages, including one claiming the 16-year-old star had been killed in a car accident. The attackers placed the code in the comment section of the pages, prompting Google to temporarily hide comments Sunday by default.
Other pages unrelated to Bieber were reportedly targeted as well.
According to Google, a fix for the issue was rolled out about 2 hours after it was discovered.
“We’re continuing to study the vulnerability to help prevent similar issues in the future,” a Google spokesperson told eWEEK.
The vulnerability allowed the attackers to bypass the filter normally used to police YouTube comments.
“Clearly YouTube is a big target, as it has so many millions of visitors every day, and you would hope that their Web team will investigate what went wrong with their processes, and explore if they are reviewing code properly before it is made live to ensure that loopholes aren’t left in their code in future,” noted Graham Cluley, senior technology consultant at Sophos.