• On TV.com: 10 Most ANNOYING Characters On TV

Security

Read all 'YouTube' posts in Security
May 20, 2009 2:28 PM PDT

YouTube battling 'Porn Day' campaign

by Elinor Mills
  • 79 comments

Updated at 4:40 p.m. PDT with Google comment.

YouTube was busy deleting porn videos on Wednesday after users of forums at a rival site and an imageboard site declared a "Porn Day" campaign against the popular video service.

The forums at video site eBaum's World and 4chan organized the mass porn "carpet bombing" on YouTube, according to Ars Technica.

YouTube has been removing the videos as fast as it can, but even videos that are removed are still showing up in search results with explicit images in the thumbnails, the report said.

It could take a couple of days for all the explicit results to be removed from the search results, Google spokesman Scott Rubin told Ars Technica.

In a phone interview with CNET News late on Wednesday, Rubin said that in addition to the porn videos were removed as soon as community members alert YouTube to them, certain channels where the posters were bragging about the campaign and listing the videos were being disabled.

"This group of pranksters thought it would be funny to load a bunch of porn to YouTube," he said. "This is an unfortunate, and I think poorly directed, prank. I think our systems are doing really well at removing content that violates the guidelines."

Topics:
Vulnerabilities and attacks
Tags:
YouTube,
porn,
eBaum's World,
4chan
Share:
Digg
Del.icio.us
Reddit
October 2, 2008 1:02 PM PDT

Researchers find security holes in NYT, YouTube, ING, MetaFilter sites

by Elinor Mills
  • 1 comment

Updated at 1:30 p.m. PDT with the New York Times saying they fixed the hole.

A new report from researchers at Princeton University reveals serious Web site security holes that could have been exploited to steal ING customers' money and compromise user privacy on YouTube, The New York Times' Web site, and MetaFilter.

The sites have all fixed the holes after being notified by the report's (PDF) researchers, William Zeller and renowned security and privacy researcher and Princeton computer science professor Edward Felten.

The vulnerability arises from a coding flaw that could allow someone to do a cross-site request forgery (CSRF) attack in which a "malicious Web site causes a user's Web browser to perform an unwanted action on a trusted site," according to the report.

"These attacks have been called the 'sleeping giant' of web-based vulnerabilities, because many sites on the Internet fail to protect against them and because they have been largely ignored by the web development and security communities," Zeller and Felten wrote.

On the ING site, the vulnerability could have allowed an attacker to open an account on behalf of a customer and transfer funds from the customer's legitimate account into that account.

The YouTube hole could have allowed an attacker to add videos to a user's "favorites," join the user's "friend" or "family" list, send messages on behalf of the user, flag videos as inappropriate and share video with the user's contacts, among other things.

On blogging site MetaFilter, an attacker could have exploited the vulnerability to take control of a user's account.

And The New York Times site vulnerability could have allowed an attacker to harvest e-mail addresses of people who use a feature on the site to e-mail articles to other people. The victim's e-mail address could then be used for spamming.

The report says The New York Times site had not been entirely fixed. However, a New York Times spokeswoman said it now has been.

"We take the security of our site and our users very seriously and act quickly to address any vulnerabilities," she said in a statement. "The issues outlined in the report have been resolved. We were notified last year by Ed Felten about 'E-mail This' and fixed the problem he outlined then within days. On Tuesday, we were alerted to a more complicated variant of the same problem (in their blog post) and we closed that security hole immediately."

The researchers suggest fixes that Web sites can make on their servers to close the security hole and they released a Firefox plug-in that can protect consumer PCs even if sites have not fixed the vulnerability.

(Via IDG News Service.)

In this illustration of a cross-site request forgery attack, a malicious Web site causes a user's browser to send a request to a trusted site. The trusted site sees a valid, authenticated request from the browser and does what is asked. "CSRF attacks are possible because Web sites authenticate the web browser, not the user," the report says.

(Credit: William Zeller and Edward Felten)
Topics:
Privacy and data protection,
Vulnerabilities and attacks
Tags:
security,
privacy,
YouTube,
New York Times
Share:
Digg
Del.icio.us
Reddit
  • prev
  • 1
  • next
advertisement
Click Here

Google's mobile hopes go beyond Nexus One

The world may have thrilled to the potential for a Google Phone, but what Google actually unveiled is its plan for a new smartphone world order.
• Photos: Unboxing Nexus One

Using your smartphone safely

faq Worms, Trojans, and SMS attacks are risks for mobile phones, but the biggest practical threat to users is losing the device.

About Security

Online security is threatened by more than hacking and phishing attempts. Check here for the latest updates on software vulnerabilities, data leaks, and rapidly spreading viruses--and learn how to protect your systems.

Add this feed to your online news reader

Security topics

Most Discussed



advertisement

Inside CNET News

Scroll Left Scroll Right
News
News site map
Latest headlines
Contact News
News staff
Corrections
CNET blogs
Popular topics
Apple iPhone
Apple iPod
Cell phones
CES 2010
GPS
LCD TV
CNET sites
CNET Site map
CNET TV
Downloads
News
Reviews
Shopper.com
More information
Newsletters
CNET Mobile
Customer Help Center
RSS
CNET Widgets
About CNET