YouTube hit by cross-site scripting attack

YouTube was hit by hackers this weekend

YouTube users have reacted angrily to a cross-site scripting exploit that hid comments on videos this weekend.

The problems appeared to begin on videos relating to teen pop sensation Justin Bieber, but soon began to spread to other videos, according to reports.

The infections do not appear to have a dangerous payload, but have annoyed users who expressed their opinions on the YouTube help forums.

"Where are the YouTube moderators to answer this? I think it's affecting thousands of people. You can also block such users as soon as one of your videos get infected, otherwise they will continue to damage your other ones too!" said one user.

"They need to really step security up, never realised until now how many security loopholes there is," added another.

Security firm Sunbelt Software warned that the implications could have been much worse if the same exploit had been carried out by a more malicious group.

"If this exploit had been discovered by a professional money-making outfit, there could have been all sorts of subtle attacks taking place for a long time. Not good, given the apparent simplicity of the attack," said Christopher Boyd, senior threat researcher at the vendor, in a blog post.

YouTube acknowledged the scripting bug in an official response, and promised that it has removed the risk of another attack.

"We took swift action to fix a cross-site scripting vulnerability on youtube.com that was discovered several hours ago," said a spokesman.

"Comments were temporarily hidden by default within an hour, and we released a complete fix for the issue in about two hours. We're continuing to study the vulnerability to help prevent similar issues in the future."

The spokesman added that, contrary to some reports, the issue could not have been used to gain access to a victim's Google account.