Security researcher rounds on YouTube flaws

Popular video sharing website YouTube is riddled with security vulnerabilities according to an independent security researcher.

In an open letter to YouTube owner's Google, Christian Matthies said he would publicly disclose over 40 bugs he said he found on the site.

Most of the flaw concern cross-site scripting flaws which allow hackers to inject malicious code into legitimate website in order to steal personal information on website visitors. Most of the exploits allow hackers to infect user profiles with malware that could spread through the internet and steal users log-in details.

"Just like other major social networking sites (or even more), YouTube is responsible for the privacy and security of hundreds of millions of users," said Matthies.

"However, presently this security is not provided in the least due to a continuously increasing amount of severe security vulnerabilities on YouTube coming with each site update."

"Having security holes is one thing but not responding to vulnerability reports is totally unacceptable and certainly not conform to your commitment to data security," he said. "Taking that into account I'm going to have one last try and give you two weeks from now to contact me. If you don't, I am obliged to disclose all vulnerabilities in public."

According to research from Secure Computing, cross-site scripting flaws aren't the only problems affecting the popular video sharing site.

The IT security firm said that hackers are planting fake videos on the site which infect computers with the Zlob virus. While personnel at YouTube were quick to take down the infected videos, Paul Henry, vice president of technologies at Secure Computing said that the incident heralded a new attack vector for hackers.

"The fact is no one expects to find malware hidden in YouTube files. Yet the medium's popularity is highly alluring as a mass distribution vehicle for malicious code," said Henry. The Zlob virus then installs adware and spyware that then bombards users with pornographic ads.

"What's alarming is that, from a security perspective, many users and organisations will be blindsided and potentially seriously exposed."

Henry was concerned that the virus was a prelude to hackers infecting computers with keyloggers or make them part of a botnet.

Rene Millman is a freelance writer and broadcaster who covers cybersecurity, AI, IoT, and the cloud. He also works as a contributing analyst at GigaOm and has previously worked as an analyst for Gartner covering the infrastructure market. He has made numerous television appearances to give his views and expertise on technology trends and companies that affect and shape our lives. You can follow Rene Millman on Twitter.