|
Post by milowent on Nov 30, 2006 13:24:25 GMT -5
YouTube PM Vulnerabilitywww.youtube.com/watch?v=t0BQwmj9baY&eurl=YT Summary: It's currently possible for your YouTube cookie to be stolen if you read a private message (not even clicking any links inside). This allows someone to log into your account and, for example, delete your videos. This is most likely what happened to boh3m3, utnow, Micfri, and xgobobeanx when they noticed a bunch of their videos missing. kind of disturbing.
|
|
|
Post by Terryfic on Nov 30, 2006 13:33:01 GMT -5
I’m not all that surprised. It is not like YouTube is bank software, so it is understandable that the security may not be the best possible. I am a little concerned since Chad and Steve are originally from PayPal. I hope when the worked there they were more thoughtful of preventing arbitrary code from being run.
|
|
|
Post by VanillaFlava on Nov 30, 2006 17:06:15 GMT -5
Yeah well, cookie spoofing isn't actually anything new or surprising. Why they are allowing javascript in their private messaging system is a mystery to me ... spoofing your YT cookie should be the least thing you should be worried about (after all that session ID will time out soon enough, your credentials aren't actually compromised, just the currently open session).
Similar craziness can be exploited on MySpace, even more distrubingly, there it can be done by just surfing pages.
|
|