Update 16:00 Sun 04 Jul 2010: You Tube is reporting that they fixed this bug and cleansed the comments. I, however, am perfectly content to give it another day before trying them again. Back to the original post…
I have commented out the links to You Tube in yesterday's Swedish Chef “Popcorn” post. There's a cross-site scripting (XSS) vulnerability in You Tube's comments (and maybe in video titles, too). Taking advantage of this vulnerability is as easy as copy and paste, and last night, someone told 4chan about it.
They are now doing their best to destroy You Tube, because destroying things is what they do. The damage is mostly limited to scrolling marquees saying “4CHAN ROXORZ” and “LOLOOLOLOL” popups, but a few of them are trying to harvest browser cookies and login sessions.
I feel sorry for the sysadmins and web coders who will lose their holiday weekend dealing with this bullshit.
NoScript — Live It, Love It
Even better, with two clicks you can grant temporary permission to sites that don't know how to write a form or image gallery properly. And you don't have to remember which sites you allowed; just hit “Revoke Temporary Permissions” and they're all banned again.
(Unfortunately, it does not allow specific scripts to run, so you can't enable just the bit that plays You Tube videos without also allowing the rest of You Tube… including the infected comments.)
Vandals Are the Same Everywhere
If you saw any of the G20 riots recently, you surely noticed that the hooligans who started wrecking the town weren't actually protesting anything. There was no message. If they hadn't been burning cars at the G20 summit, they'd have been burning storefronts after a Lakers game, or trees in a state forest. Maybe a synagogue. They don't have a cause, they have a cover story — one that allows them to burn shit.
Not too long ago, 4chan wanted us to believe they were a bunch of heroes because they were picking on Scientologists instead of furries. No, this wasn't just the usual bullying, this time 4chan had a higher purpose. “Anonymous” was going to make the world a better place, and we'd all see we were wrong for doubting them. It was only co-incidence that Tom Cruise had recently embarrassed his Scientology masters, making Scientology look weak in front of a group that preys on the weak.
But that was like, whoa, a year ago or something, and Scientology is kinda boring now. Making a difference turned out to be too much like work.
Today a new weakness appeared, this time in You Tube, and within hours 4chan was attacking them with the same joy and intensity as their crusades against Scientology, furries, and that kid who lost his iPod. Like the G20 riots, it's hard to imagine a less ambiguous way of showing they don't care what their target is, so long as they have one.
4chan is the Internet equivalent of the black-clad morons heaving bricks into a coffee shop. If this were a hurricane, they'd be looting department stores.