YouTube was hit by a persistent cross-site scripting (XSS) vulnerability which affects YouTube's comment field. Malicious JavaScript was inserted into user's comments by exploiting a XSS flaw. The bug was abused by unnamed attackers to poison the comments on multiple videos.

Researchers from a Romanian security team (InSecurityRomania) have revealed the vulnerability first.

Google has corrected the issue now but it is possible that malicious users have already exploited it to redirect unwitting YouTube users watching videos to drive-by download pages in order to infect them with malware, adware and spyware.

Cross-site scripting (XSS) vulnerabilities is a type of computer security vulnerability typically found in web applications that enables malicious attackers to inject client-side script into web pages viewed by other users.

Experts distinguish between at least two primary flavors of XSS: non-persistent and persistent.

The non-persistent (or reflected) cross-site scripting vulnerability is by far the most common type. For example, a non-persistent XSS vulnerabilitie in Google could allow malicious sites to attack Google users who visit them while logged in.

The persistent XSS vulnerability is a more devastating variant of a cross-site scripting flaw: it occurs when the data provided by the attacker is saved by the server, and then permanently displayed on "normal" pages returned to other users in the course of regular browsing, without proper HTML escaping. For example, a persistent cross-zone scripting vulnerability coupled with a computer worm allowed execution of arbitrary code and listing of filesystem contents via a QuickTime movie on MySpace.