Malicious hackers attacked Google’s YouTube on Sunday, exploiting a cross-site scripting (XSS) vulnerability on the ultra-popular video sharing site, hitting primarily sections where users post comments.
“Comments were temporarily hidden by default within an hour [of discovering the problem], and we released a complete fix for the issue in about two hours. We’re continuing to study the vulnerability to help prevent similar issues in the future,” a Google spokesman said via e-mail.
The attack potentially put at risk YouTube cookies of users who visited a compromised page, but it couldn’t be used to access their Google accounts, the spokesman said.
As a precaution, YouTube users should log out of their account and log back in again.
The attackers apparently targeted singer Justin Bieber, incorporating code into YouTube pages devoted to him so that visitors saw tasteless messages pop up about the teen star, and were also redirected to external sites with adult content.
An industry source familiar with the situation said that while the attack itself didn’t involve malware infections, such a risk is inherent whenever users visit any Web page, such as the ones attackers redirected users to.
It’s not clear if those landing pages contained malware, but most up-to-date anti-virus software is designed to protect against those threats, this person said.
YouTube is by far the most popular video uploading and sharing site. In May, U.S. residents watched 14.6 billion video clips at Google sites, mostly at YouTube. which is about 43 percent of all clips watched online that month, according to comScore.
On Monday, when the U.S. marked its independence with fireworks shows, social media sites like Twitter and Facebook lit up on Sunday morning with reports from thousands of individuals who noticed the YouTube hack.
A separate stream of postings on social media sites focuses on whether Apple’s iTunes App Store may have been compromised by a rogue developer and whether purchases may have been made without victims’ permission using their credit cards on file.
People posting about the Apple issue are suggesting that App Store customers check for any unusual activity on their accounts.
Apple didn’t immediately respond to a request for comment from IDG News Service.
Social media risks
Attacks, such as this one, on popular social networking sites could affect – not just individuals – but businesses as well.
Last month an IT governance group released a ranking of the top five risks social media poses to companies.
The study lists the biggest risks businesses need to prepare for when they are using social media.
It was released by ISACA, a 43-year-old international organization previously known as the Information Systems Audit and Control Association that researches IT governance and control.
John Pironti, an ISACA Certification Committee member, noted that many business executives have considered some of the risks, but few have considered all of them.
“I think that the blinders have been on at a lot of enterprises,” Pironti said. “They’re trying to figure out what to do about this. I think companies are as scared as they generally are with any new technology, like Wi-Fi and jump drives.
They’re taking a different attitude this time. They’re not just turning it off but they’re acknowledging that they just can’t stop the use of it. They understand that it’s going to be used so how do they do it safely?” he said.
User education crucial
The top risks, which are laid out in an ISACA research paper, are viruses and malware, brand hijacking and lack of control over corporate content.
Rounding out the top five are unrealistic expectations of customer service at “Internet-speed” and non-compliance with record-management regulations.
Pironti said ISACA isn’t warning companies not to use Web 2.0 tools or to not fully embrace social networking.
However, he said they need to go into it with their eyes wide open to the benefits as well as the risks.
And he added that most of the risks stem from users not understanding how their own behaviour could possibly affect the company.
Pironti noted that it comes down to a need for organizations to educate users about how posting something could breach company security, hurt the company’s image or even open the company up to being hit by malware.
“With social media, there are so many platforms and environments to learn,” said Pironti. “What are the implications of what could happen? People don’t think of the damage that could occur to an organization.”
“They see it as a way to explore relationship with work people. We take some of the social out of their lives by asking people to work longer hours. They’re looking for a balance — to still have a relationship with friends and peers,” Pironti said.
And since workers, either on their own or with a corporate blessing, will use social networking sites such as Facebook and Twitter , Pironti said they need to understand the line between social and business.
They also need to have set corporate guidelines about what information can be shared what needs to stay inside corporate walls.
However, Pironti said company execs also need to be aware themselves that workers are using social networking sites and tools so they need to have a hand in it to better protect themselves.
Executives can’t be aware of what is being said about a company unless someone is paying attention.