YouTube Gets Exploited.

Updated #2 – I’ve heard reports that Tinkode came out with the 0day exploit. Props to him for an pretty awesome find. Many of you will recognize TinKode if you read his security blog or have seen him around at HF.

Updated: All comments have been hidden whilst YouTube fixes the situation. Maybe now would be the time for them to sanitize inputs?

YouTube was bombarded with spam today after a code was released which allowed HTML to be posted in comments. This was advanced on and led to customisable javascript alerts and full page “ads” as well as complete page redirects now. See images below and check out YouTube whilst it’s still not been fixed.