Analysis
It seems that when someone places a piece of JavaScript in the comment section, beginning with the <script> tag, YouTube’s comment sanitization policy correctly escapes the <script> tag itself. Unfortunately, the data which follows this tag is not removed, but is displayed on the screen. This allows a clever hacker to inject HTML directly into the page, modifying the page itself and allowing all types of security issues.

This incident highlights the impact of security issues like Cross Site Scripting (XSS). These vulnerabilities should not be treated lightly, since a Web Application Filter (WAF) cannot protect you from new attacks like this one. WAFs can only protect you from what they already know.

About stopthehacker.com
At stopthehacker.com, we work hard to help you combat attacks by malicious hackers. If you would like to work with us, please drop us an email. You can also visit our services page to find out how we can help you. In fact, you can even sign up for our Free Blacklist Monitoring service!

We at StopTheHacker.com have conducted a study to ascertain if these top financial institutions are really secure or not. The findings, including a graphical summary, are also available in a PDF report attached at the end of this article.

Security Level of Top US Financial Institutions in 2009

The results were astonishing: 13 out of 14 websites had at least one critical vulnerability. In more detail, we highlight some key results below:

1. On average, there are 1.5 critical security issues in each financial institution
2. On average, there are 1.2 important security issues in each financial institution
3. On average, there are 7.9 general security issues in each financial institution
4. The highest company valuation in total assets does not correlate to the highest security
5. The financial institution in our set with the least valuation had zero critical security holes

The identified vulnerabilities are very serious: critical security issues/holes are widely seen as major security concerns by security experts, and security standards.

The most prevalent vulnerability among all of those discovered, allows a hacker to spawn what is known as a shell, more commonly known as the command-prompt, and thereby remotely executing harmful commands on the web server. Other vulnerabilities range from major Cross Site Scripting (XSS) vulnerabilities, which can enable hacker to steal credentials of website visitors, to a plethora of concerns with various software installations used on these systems.

For more information, please feel free to contact us.

• Download the Whitepaper