Justin Bieber fans under fire in YouTube XSS attack

YouTube hole
If there are any breathless fans of Justin Bieber reading this – let me calm you straight away: Justin Bieber has not died in a car crash.

But you may have imagined that he did if you checked out some of his YouTube videos this long US Independence Day holiday weekend, or read one of the many internet rumours that spread over the last day or so.

A vulnerability in YouTube’s comment system was exploited widely this weekend, allowing mischief-makers to embed code through a cross-site scripting (XSS) flaw. And one of the things they did was post messages claiming that the teen pop sensation had died in a car crash.

Normally YouTube is smart enough to weed out offending code left in the comments left for videos, but it appears that the hackers found a way to waltz past the site’s defences.

Sign up to our free newsletter.
Security news, advice, and tips.

Those watching YouTube videos of Justin Bieber and others could find their eyeballs assaulted by other prankish pop-ups and offensive messages or redirected to tasteless websites.

YouTube hacked

It took about two hours before Google, YouTube’s parent company, got things under control.

XSS attacks are a serious problem, of course. Potentially they can fool unsuspecting users into handing over their login details (although this doesn’t appear to have happened on this occasion) or direct them to a malicious webpage.

The Daily Telegraph quotes a Google spokesperson as saying:

"We took swift action to fix a cross-site scripting (XSS) vulnerability on youtube.com that was discovered several hours ago. Comments were temporarily hidden by default within an hour, and we released a complete fix for the issue in about two hours. We're continuing to study the vulnerability to help prevent similar issues in the future."

Clearly YouTube is a big target, as it has so many millions of visitors every day, and you would hope that their web team will investigate what went wrong with their processes, and explore if they are reviewing code properly before it is made live to ensure that loopholes aren’t left in their code in future.

* Image source: Richard Cunningham.


Graham Cluley is an award-winning keynote speaker who has given presentations around the world about cybersecurity, hackers, and online privacy. A veteran of the computer security industry since the early 1990s, he wrote the first ever version of Dr Solomon's Anti-Virus Toolkit for Windows, makes regular media appearances, and is the co-host of the popular "Smashing Security" podcast. Follow him on Twitter, Mastodon, Threads, Bluesky, or drop him an email.

What do you think? Leave a comment

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.