Some of you might have seen that there was something going on with 40+ security vulnerabilities on YouTube and an ultimatum issued by me. Well, that is correct. Now let me explain what happened.A couple of months ago I discovered several security holes on YouTube, what I have already mentioned earlier on my blog. Apparently YouTube didn't respond to my reports and continued adding new features with new critical holes. The result after a few weeks was indeed around about 40 or even more XSS vulnerabilities on a Website acquired by Google with hundreds of thousands of users each day.
I've been in the security industry for quite some time now, long enough to be able to assess the possible consequences and the likelyness of a severe attack on such a site. Over time, especially Social Networking sites will definitely become a favored target for Web Worms that might even propagate on more than one site. What happened on MySpace back in 2005 was in fact just an idea of what could happen if we would be faced with an XSS based Warhol Worm. Yeah, Samy proved that this is not too far of base and I know that other security researchers agree with me on this matter.
So in case you are still wondering, I choosed the path of responsible disclosure instead of just releasing all vulnerabilities to the public because I don't want something like that to happen.
A few days after I issued the ultimatum, Google Security contacted me and we could successfully fix all known vulnerabilities. I have also talked with Hunter Walk who is Product Manager at YouTube and suggested him to set up a security response team at YouTube to make sure that issues like these are better routed in the future. He promised me to take care of that.
I appreciate this because I think that when a company has a well working security response team and credits reports appropriately, researchers will be way more motivated to report what they have found.
The Google Security Team is already doing that and publicly thanks me on [www.google.com]. Additionally they sent me a Google t-shirt, which is really cool ;)
I think they have learned their lesson from all the noise.
