Regarding the actual flaw here:
This is a big, big hole on Google's part (perhaps it was there before they took over) - an XSS flaw to the extreme. I'm really shocked no-one found it sooner. Heck, even the stuff I write for internal use in companies is more secure than that on the XSS front (though obviously I'm not going to go into details here!)
Typical 4chan as well though - find an easy bug and pretend we all own the internet by behaving like mindless script kiddies.
On the plus side, getting a patch out for this in 2 hours is an unbelievably quick turnaround - Google have done VERY well on that front. With a certain other major software development company I can imagine the fix would have taken weeks... My only concern is that if the patch has been rushed through are there still other XSS exploits out there? I'd expect Google to be thoroughly investigating this though, so hopefully we won't see a repeat any time soon.
Several hours ago, someone found an HTML injection vulnerability in YouTube's comment system, and since then sites such as 4chan have had a field day with popular videos. The bug is triggered by placing a <script> tag at the beginning of a post. The tag itself is escaped, but everything following it is cheerfully placed in the page as is.
This is a big, big hole on Google's part (perhaps it was there before they took over) - an XSS flaw to the extreme. I'm really shocked no-one found it sooner. Heck, even the stuff I write for internal use in companies is more secure than that on the XSS front (though obviously I'm not going to go into details here!)
Typical 4chan as well though - find an easy bug and pretend we all own the internet by behaving like mindless script kiddies.
On the plus side, getting a patch out for this in 2 hours is an unbelievably quick turnaround - Google have done VERY well on that front. With a certain other major software development company I can imagine the fix would have taken weeks... My only concern is that if the patch has been rushed through are there still other XSS exploits out there? I'd expect Google to be thoroughly investigating this though, so hopefully we won't see a repeat any time soon.