|
|
YouTube HTML Inject July 4th Exploit
|
|
|
|
Clinically Insane
Join Date: Oct 2000
Location: Los Angeles
Status:
Offline
|
|
Anyone else see the news of the July 4th YouTube exploit that had places like 4chan buzzing this morning? It seems like Google's coders failed to protect the site from a very elementary code inject vulnerability, and once it was learned about by hackers and script kiddies, they were doing things like redirecting popular videos to porn, hijacking browsers in a way that required they be force quit, redirecting to other sites, and the like.
This incident has awakened me to the fact that Google, for all its wealth and for all its PhDs, may not be nearly as good when it comes to even basic web security issues as one would expect. Previously we heard about the Chinese hacking of Google servers - certainly a negative story but one that you could excuse to some degree by assuming those hackers were l337 and that it was a small scale exploit. But this was a large scale, very easy to pull off inject attack (and by easy I mean one short line of code easy) that I would think any first year professional web coder would learn to guard against. I'm looking at Google and its services with a freshly skeptical eye now.
(
Last edited by Big Mac; Jul 5, 2010 at 11:22 PM.
)
|
"The natural progress of things is for liberty to yield and government to gain ground." TJ
|
|
|
|
|
|
|
|
Clinically Insane
Join Date: Mar 2001
Location: yes
Status:
Offline
|
|
Big Mac: in my experience in working in a big company like this and based on everything I know the problem is usually not the competency of the coders, but the mixing of the tech and business cultures. The politics, business direction/strategy, staffing, and all of that sort of stuff can easily get in the way of the quality of a product, its focus, and its security too, and of course dysfunctional communication can be a hinderance as well.
In a company like Google it might be one department that performs security audits/scans, another that codes the web applications... It could be that the security guys didn't look at this, that they weren't given enough/proper information, that a problem was never patched due to political reasons, etc.
It's obviously pointless to speculate, but my main point is that the coupling of the whole business culture with the geekery creates about 2098230948203948 variables, and often accounts for suckage.
|
|
|
|
|
|
|
|
|
Clinically Insane
Join Date: Oct 2000
Location: Los Angeles
Status:
Offline
|
|
besson and I were the only ones interested in this story? That's surprising. . .
|
"The natural progress of things is for liberty to yield and government to gain ground." TJ
|
|
|
|
|
|
|
|
Clinically Insane
Join Date: Mar 2001
Location: yes
Status:
Offline
|
|
Big Mac: that's because we're not losers!
|
|
|
|
|
|
|
|
|
Dedicated MacNNer
Join Date: May 2008
Status:
Offline
|
|
It's almost like the Government runs them.
|
cause we're not quite "the fuzz"
|
|
|
|
|
|
|
|
Moderator
Join Date: Feb 2006
Location: on the verge of insanity
Status:
Offline
|
|
It could have been bad code from before Google bought youtube.
|
I like my water with hops, malt, hops, yeast, and hops.
|
|
|
|
|
|
|
|
Clinically Insane
Join Date: Oct 2000
Location: Los Angeles
Status:
Offline
|
|
Even if that were true, one would hope Google would have code audited everything from YouTube.
|
"The natural progress of things is for liberty to yield and government to gain ground." TJ
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
Forum Rules
|
|
|
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts
|
HTML code is Off
|
|
|
|
|
|
|
|
|
|
|
|