Justin Bieber fans under fire in YouTube XSS attack

If there are any breathless fans of Justin Bieber reading this – let me calm you straight away: Justin Bieber has not died in a car crash.

But you may have imagined that he did if you checked out some of his YouTube videos this long US Independence Day holiday weekend, or read one of the many internet rumours that spread over the last day or so.

A vulnerability in YouTube’s comment system was exploited widely this weekend, allowing mischief-makers to embed code through a cross-site scripting (XSS) flaw. And one of the things they did was post messages claiming that the teen pop sensation had died in a car crash.

Normally YouTube is smart enough to weed out offending code left in the comments left for videos, but it appears that the hackers found a way to waltz past the site’s defences.

Those watching YouTube videos of Justin Bieber and others could find their eyeballs assaulted by other prankish pop-ups and offensive messages or redirected to tasteless websites.

It took about…

Read more in my article on the Naked Security website.

Found this article interesting? Follow Graham Cluley on Twitter or Mastodon to read more of the exclusive content we post.

Graham Cluley •   @gcluley

Graham Cluley is a veteran of the anti-virus industry having worked for a number of security companies since the early 1990s when he wrote the first ever version of Dr Solomon's Anti-Virus Toolkit for Windows. Now an independent security analyst, he regularly makes media appearances and is an international public speaker on the topic of computer security, hackers, and online privacy. Follow him on Twitter at @gcluley, on Mastodon at @[email protected], or drop him an email.