Homeless in Vancouver: Was YouTube just used to infect computers for large DDoS attack?

    1 of 1 2 of 1

      Evidence points toward YouTube being the “popular video-sharing site” that unwittingly helped hackers hijack 22,000 browsers to act as a bot-net for a large scale DDoS attack.

      In a post the next day on its blog, titled “One of World’s Largest Websites Hacked”, web-security company Incapsula explained that on Wednesday (April 2) it had mitigated a unique Distributed Denial of Service attack.

      One of its clients was bombarded by over 20 million GET requests originating from the Web browsers of 22,000 hijacked computers.

      Incapula discovered that attackers “recruited” the computers by exploiting a flaw in what it called a “high profile video content provider”.

      Faster pussycat, infect, infect!

      A persistent cross-site scripting (XSS) vulnerability allowed unknown attackers to hide malware JavaScript code in avatar images in the comments section of video posts on the website. Users unwittingly uploaded the malware when they viewed any of the posts—apparently, all funny cat videos.

      This led to 22,000 of the computers being infected by the malware, which co-opted the computers to participate in the DDoS attack.

      Because the malware worked in the background without triggering any dialogue messages or other noticeable activity, users would have been unaware their computers were doing anything untoward.

      Incapsula declined to actually name the website, saying only that it was “one of the world’s largest and most popular sites”—a video-sharing site listed among Alexa’s top 50 websites. Hmm?

      History repeats itself

      Alexa is a web information company. Its live list of the top 500 global Websites is a widely used reference. There are only two sites in Alexa’s top 50 that could qualify: xvideos.com at number 43 and YouTube at number 3, and I’m not sure xvideo.com qualifies as a video-sharing site.

      Back in the summer of 2010 YouTube was discovered to have a serious XXS vulnerability, which allowed attackers to “poison” the comments on multiple videos before Google said it moved in to patch it.

      Jay Nancarrow, a Google spokesperson, was quoted back in 2010 by techie-buzz.com:

      We took swift action to fix a cross-site scripting (XSS) vulnerability on youtube.com that was discovered several hours ago. Comments were temporarily hidden by default within an hour, and we released a complete fix for the issue in about two hours. We’re continuing to study the vulnerability to help prevent similar issues in the future.

      In 2010 it appears the XXS flaw was exploited by pranksters, including those irrepressible scamps over at 4chan, and involved flooding popular videos, especially those by Justin Bieber, with malicious comments which are too shocking for us to repeat.

      Stanley Q. Woodvine is a homeless resident of Vancouver who has worked in the past as an illustrator, graphic designer, and writer.

      Comments

      2 Comments

      Beiber

      Apr 9, 2014 at 3:45pm

      It's got to be Xvideos, they get 4.4 billion hits per day and is the kind of site Incapsula wouldn't want to tell everybody they do work for whereas they would be bragging how they stopped a Youtube related attack to the media.

      Xvideos you can put plenty of galleries/images into profile pages unlike Youtube, also the fact that only 22,000 drones were infected makes me believe it wasn't Youtube since that figure would be 10x if it was.

      Anybody compromising Youtube would also be reluctant to use it as a simple DOS tool that would be easily discovered. Could sell that vuln on the open market for a lot, hell even Google would pay a good bounty for it, much more than you would get for launching DOS.

      Soon all our browsers will be coded in Rust, and videos will be WebM or similar and these terribad days of java and js garbage will be behind us.

      Stanley Q Woodvine

      Apr 10, 2014 at 1:06am

      I have to agree that YouTube should have yielded far more infected computers.