XSS on YouTube

Ask for help about NoScript, no registration needed to post
Mastacheata
Posts: 6
Joined: Tue Jan 04, 2011 9:49 am

Re: XSS on YouTube

Post by Mastacheata » Wed Sep 18, 2013 8:43 pm

I've created XSS Exception rules for both the plus.googleapis.com and the api.google.com version of the .../widget/render/comments Cross-site request like this:

Code: Select all

^https://plus\.googleapis\.com/_/im/_/widget/render/comments\?
^https://apis\.google\.com/u/0/_/widget/render/comments\?


Now this does no longer trigger any XSS warning, but navigating the Youtube website is still broken.
If you click on any of the videos in the "related Videos" sidebar on the right (doesn't matter whether you click the preview or the title), a red bar will fill up at the very top of the website (above the yt logo and search box).
However this will not load the selected video, but only changes the URL displayed in the URL field of Firefox.
If one triggers a reload now, the site is refreshed at the "new" URL.

Also the behavior doesn't change when I have no XSS exception rules but use the unsafe reload button. It changes the URL, but not the content.

This happens no matter what scripts I allow. (i.e. If I set NoScript to "allow scripts globally" [or whatever that's called in english], that doesn't change anything.)
I even disabled all other addons that might interfer, like ABP and Greasemonkey.

The behavior is not specific to any single video for me, but is the same for each and every video I tried.
Other links, like the Usernames of the uploader or commenters work just fine. So does the small watch-later overlay icon on the video previews.

Any other ideas I could try?
Mozilla/5.0 (Windows NT 6.1; WOW64; rv:23.0) Gecko/20100101 Firefox/23.0

Light95ute
Posts: 1
Joined: Wed Sep 18, 2013 10:56 pm

Re: XSS on YouTube

Post by Light95ute » Wed Sep 18, 2013 11:03 pm

I just registered here, because I noticed something.
I used YouTube today without any problem, then, half an hour ago, I updated Firefox to the last version (from 23 to 24) and now I'm getting this XSS block.

I don't know, might be helpful, maybe Firefox broke something in the plugin. They also have an option to block Flash (and other plugins I guess) integrated in the browser now (if you go on YouTubge for example, on the left of the address you should see a little lego block or something similar, if you click it you're given the option to disable Flash), might be some kind of interference.
Mozilla/5.0 (Windows NT 6.1; WOW64; rv:24.0) Gecko/20100101 Firefox/24.0

JS

Re: XSS on YouTube

Post by JS » Wed Sep 18, 2013 11:14 pm

I was getting the same thing on Youtube, starting last night, continuing today on another computer. When I went to NoScript options and chose to forbid googleapis, the warnings stopped and functionality wasn't harmed. I wasn't logged on, and don't have a login, so I don't know if that matters. I guess the plus.googleapis is something Google uses to tie one's info together into a profile from all their sites? Strange that it suddenly started happening. It happened to me both before and after updating Firefox, but forbidding googleapis stopped it.
Mozilla/5.0 (Windows NT 6.1; WOW64; rv:24.0) Gecko/20100101 Firefox/24.0

joshirosama
Posts: 5
Joined: Wed Sep 18, 2013 11:42 pm

Re: XSS on YouTube

Post by joshirosama » Wed Sep 18, 2013 11:45 pm

im getting issue and ive tryed blocking googleapis and tryed using this script:
^(?:https?:\/\/)?(?:www\.)?(youtu\.be\/|youtube\.com\/).*

in the expceptions. and no luck still ._.
Mozilla/5.0 (Windows NT 6.1; WOW64; rv:24.0) Gecko/20100101 Firefox/24.0

BlackJack

Re: XSS on YouTube

Post by BlackJack » Thu Sep 19, 2013 12:13 am

boviscopophobic wrote:If I have the console open when I get the XSS notification in YouTube, a warning briefly shows up in the console and then disappears.

Skai wrote:Nice catch, there are three (well, four, but two are duplicates about deprecated method) notifications when filtering with NoScript and all of them disappear almost instantly, having less than second to copy them.

Skai wrote:In addition, anything shown on console related to NoScript gets deleted almost instantly as the page loads, showing only for like a second.


Can any of you confirm he's using Firefox 24?

Starting from this version, the browser console is replacing the error console.

Using NoScript's "Show Console…" in Firefox 24 opens up the error console, but the NoScript reports are actually moved from the error console, as soon as they appear, to the browser console. A behavior that I suppose will be fixed in a future version of NoScript.
Mozilla/5.0 (Windows NT 6.1; rv:24.0) Gecko/20100101 Firefox/24.0

Guest

Re: XSS on YouTube

Post by Guest » Thu Sep 19, 2013 4:38 am

I'm having the same problem.

I had it with 23.0.1 Firefox (therefore I don't think it's a problem with 24.0 alone, mine was not updated when the error message was first displayed, it was still 23.0.1 according to my browser itself) , and even though I've updated to 24.0, the problem persists. This seems to be a youtube only problem, other Google services don't seem to have a problem, with the exception of YouTube. All the other sites I've visited are working perfectly. So I believe this is a YouTube specific problem.
Mozilla/5.0 (Windows NT 6.1; rv:24.0) Gecko/20100101 Firefox/24.0

Guest

Re: XSS on YouTube

Post by Guest » Thu Sep 19, 2013 4:43 am

For some reason also, FF is now allowing me to block or allow Flash / any plugin on any site (for example, google talk is enabled on Google plus, Flash is enabled on YouTube, flash is disabled on some other site) is this a new function in FF 24.0?
Mozilla/5.0 (Windows NT 6.1; rv:24.0) Gecko/20100101 Firefox/24.0

access2godzilla
Senior Member
Posts: 109
Joined: Sun May 20, 2012 5:09 pm

Re: XSS on YouTube

Post by access2godzilla » Thu Sep 19, 2013 6:31 am

Guest wrote:FF is now allowing me to block or allow Flash / any plugin on any site (for example, google talk is enabled on Google plus, Flash is enabled on YouTube, flash is disabled on some other site) is this a new function in FF 24.0?

Yeah.
Mozilla/5.0 (Windows NT 6.1; rv:21.0) Gecko/20130401 Firefox/21.0

Delta Echo

Re: XSS on YouTube

Post by Delta Echo » Thu Sep 19, 2013 9:37 am

Guest wrote:I'm having the same problem.

I had it with 23.0.1 Firefox (therefore I don't think it's a problem with 24.0 alone, mine was not updated when the error message was first displayed, it was still 23.0.1 according to my browser itself) , and even though I've updated to 24.0, the problem persists. This seems to be a youtube only problem, other Google services don't seem to have a problem, with the exception of YouTube. All the other sites I've visited are working perfectly. So I believe this is a YouTube specific problem.


It's happening to me in Firefox 22.0. And it's almost certainly due to somebody "improving" the code in the Youtube comments box, it seems...
Mozilla/5.0 (Windows NT 6.1; WOW64; rv:22.0) Gecko/20100101 Firefox/22.0

Guest

Re: XSS on YouTube

Post by Guest » Thu Sep 19, 2013 4:00 pm

Blocking googleapis worked for a bit, but then the noscript warning returned, and I had to also forbid Google to make it go away again, which does effect some site functionality, but the warnings didn't return. Can still click on videos and have them play. I'm sure this is already known, but I just wanted to correct my original post that claimed that simply blocking googleapis fixed this issue for me. It did, but only for three minutes. Any ideas for a fix that doesn't degrade site functionality (forbidding google scripts) or weaken security (adding the exceptions)? Thanks for noscript. It's great (seriously). Thanks also to Google for keeping things interesting (sarcastically).
Mozilla/5.0 (Windows NT 6.1; WOW64; rv:24.0) Gecko/20100101 Firefox/24.0

Guest

Re: XSS on YouTube

Post by Guest » Thu Sep 19, 2013 5:31 pm

access2godzilla wrote:
Guest wrote:FF is now allowing me to block or allow Flash / any plugin on any site (for example, google talk is enabled on Google plus, Flash is enabled on YouTube, flash is disabled on some other site) is this a new function in FF 24.0?

Yeah.


I confirm the problem with YouTube, and I'm still on Firefox 23.

Is the feature quoted above Firefox's "Click to Play" or something different introduced in version 24. And can it go hand by hand with NS, I mean, disabling it to keep using NS.

Thanks.
Mozilla/5.0 (Windows NT 5.1; rv:23.0) Gecko/20100101 Firefox/23.0

Mastacheata
Posts: 6
Joined: Tue Jan 04, 2011 9:49 am

Re: XSS on YouTube

Post by Mastacheata » Thu Sep 19, 2013 7:16 pm

Guest wrote:Is the feature quoted above Firefox's "Click to Play" or something different introduced in version 24.

In FF24, you have a small lego block in the URL field all-left (even left to the favicon/SSL padlock icon) where you can disable Flash and probably other plugins on a site-by-site basis.
From what I can see this does not interfer with noscript at all. Even more because this is a blacklist functionality vs NoScript's whitelist functionality.

I noticed everyone's talking about blocking googleapis, but YouTube doesn't even load any scripts from googleapis.com for me. (Note: I'm in germany)
Mozilla/5.0 (Windows NT 6.1; WOW64; rv:24.0) Gecko/20100101 Firefox/24.0

E.Harris

Re: XSS on YouTube

Post by E.Harris » Fri Sep 20, 2013 1:26 am

crunchysuperman - Are you using the "YouTube Center" extension by any chance? Around the same time Firefox 24 came out and YouTube made these changes, that extension stopped working. I'm not sure if the problem is with FF24 or YouTube, but I couldn't play anything until I disabled it.
Mozilla/5.0 (Windows NT 6.1; WOW64; rv:24.0) Gecko/20100101 Firefox/24.0

Znerwicowany
Posts: 1
Joined: Fri Sep 20, 2013 1:38 am

Re: XSS on YouTube

Post by Znerwicowany » Fri Sep 20, 2013 2:17 am

Hi
I'm on Firefox 23.0.1. Coincidence or not, for me it all started last night by watching this YT film--> youtube.com/watch?v=_XuGajhkPfY <--. From now on surfing on YT and playing any movie cause this XSS warning. I tried to watch YT on another computer which did not have any contact with mentioned link. Firefox is on that computer and noscript as well. Diference is Windows 7 (my machine is XP) and different security software. No XSS warning appears on that PC. Forgot to mention that Windows 7 PC has up to date flash plugin. Affected XP machine has slightly out of date flash (mea culpa).

So, is it false positive/NS problem? Or, some YouTube areas are hacked and injects malicius code? How to deal with it then? Are you in touch with YT?
Mozilla/5.0 (Windows NT 5.1; rv:23.0) Gecko/20100101 Firefox/23.0

DAOWAce
Posts: 5
Joined: Fri Sep 20, 2013 3:01 am

Re: XSS on YouTube

Post by DAOWAce » Fri Sep 20, 2013 3:06 am

Came to the forums because there hasn't been an update yet to address the issue.

This started happening around 3 days ago now. Whatever change Google made to the comment system caused NoScript to throw out the XSS warning.

It happens on any Youtube video page, no need to hunt around for one.

I think I'm going to disable notifications for now, as it's so damn annoying to have it happen on every single video I try to watch, shrinking the player and forcing me to close out the notification bar to get the player size back.

Hope a resolution is found soon.
Mozilla/5.0 (Windows NT 6.0; WOW64; rv:24.0) Gecko/20100101 Firefox/24.0

Post Reply