Youtube Hacked - Ramifications for the Connected TV Industry?

written by: Richard Kastelein

Share this Article

Yes - it's certainly an issue that's not been discussed much in TV/Web convergence circles. But open standards and technologies porting over from the Web to TV will mean extra security concerns as hackers could conceivably take over one's TV sets with the right conditions. Let's start with a fact. Youtube is not like Android - it is not open source software. It is reasonably open however, and does have API's available. But it is web-based and apparently has had some vulnerabilities exploited by creative hackers over the years.

One of the key issues is that opening up software is that it exposes some or all of the source code to examination by everyone, both the attackers and defenders, and there's been a debate going on for years on the ultimate impact of this situation. On the proprietary side, they argue that a system without source code is more secure because there's less information available to a hacker. Makes sense in a way. Except for the fact that hackers generally don't need source code to find vulnerability.

If software is created using open standards, public scrutiny and rabid community members are more apt to improve its security but... just because a program is open it doesn't magically mean it's secure. And just because software is encrypted and proprietary, does not mean it does not have vulnerabilities. There are far fewer minds at work on a proprietary project than there are on an open one... less testing, less debugging, less resources available.

And this argument has been hashed out in the developer community with most experts agreeing that open standards has the greater ability to be more secure. However, open source developers are considered by some to be too much "hacker" and too little "engineer. But it's not the engineers who hack... it's the hackers. And how better to protect yourself than with guys who know how the others think? Why do you think top hackers go on to top security jobs in the business?

And Eric Raymond's "many eyeballs" maxim or Linus Law - which is that the number of bugs found in a piece of software correlates to the number of people looking at the code which he wrote about in The Cathedral and the Bazaar

Those on the other side of the fence argue the following questions: 

Are those eyeballs looking for security problems, though? Do they have any compelling incentive? Are they doing it in a structured way? Do they have a reason to focus dozens or hundreds of hours on the problem to approach the level of effort generally given to a paid audit?

This of course, dovetails into the whole reason of why Connected TV players and other convergence models around TV are looking at open models such as the iPhone app store and Facebook application community as models for innovation and a huge increase in scalability as being the perennial carrot on the stick. But security is also a huge concern. The last thing our emerging industry needs is a huge backlash on security issues. The inside joke in the app industry is that Facebook's Zuckerberg has 50,000 coders working for him on 'Spec'. And that's an enticing scenario for any company to mull over - Connected TV or not. He's expecting a billion users on Facebook in the near future. That's one seventh of the world population. Lady Gaga has ten million followers herself. That kind of reach was influenced by Facebook's app strategy and their move to open up some code.

Back to the hack in question.

The Telegraph in the UK led the mainstream media flock in covering the event. Apparently the YouTube hack freaked out the hoards of Justin Bieber fans who, when clicking to drool over their loved one singing about Baby' on Sunday morning were interrupted with a popup saying the young Canadian was dead.  Or they were greeted with offers to venture to hacking and porn sites. Bieber has been pushed to tweet that he is, indeed, alive, to his fans via Twitter.

The problem was heavily tweeted about, with Youtube being marked with a virus.

Graham Cluley from the security firm Sophos, told BBC News:
"The thing with a cross-site scripting attack is that it will appear that it is a message being posted by that website, which gives it a certain legitimacy.

Slashdot,a tech forum noted:

"Several hours ago, someone found an HTML injection vulnerability in YouTube's comment system, and since then sites such as 4chan have had a field day with popular videos. The bug is triggered by placing a <script> tag at the beginning of a post. The tag itself is escaped, but everything following it is cheerfully placed in the page as is. Blacked out pages with giant red text scrolling across them, shock site redirects, and all sorts of other fun things have been spotted. YouTube has currently blocked such comments from being posted and set the comments section to be hidden by default, and appears to be in the process of removing some of these comments, but the underlying bug does not seem to have been fixed yet."

In a press release Google noted when it was fixed and commented:

“We took swift action to fix a cross-site scripting (XSS) vulnerability on that was discovered several hours ago. We’re continuing to study the vulnerability to help prevent similar issues in the future.”

About the Author

Richard Kastelein
Founder of The Hackfest, publisher of TV App Market and global expert on Media & TV innovation, Kastelein is an award winning publisher and futurist. He has guest lectured at MIT Media Lab, University of Cologne, sat on media convergence panel at 2nd EU Digital Assembly in Brussels, and worked with broadcasters such as the BBC, NPO, RTL (DE and NL), Eurosport, NBCU, C4, ITV, Seven Network and others on media convergence strategy - Social TV, OTT, DLNA and 2nd Screen etc.

He is a Fellow of the UK Royal Society of Arts (RSA) and UK Royal Television Society (RTS) member.

Kastelein has spoken (& speaking) on the future of media & TV in Amsterdam, Belfast, Berlin, Brussels, Brighton, Copenhagen, Cannes, Cologne, Curacao, Frankfurt, Hollywood, Hilversum, Geneva, Groningen (TEDx), Kuala Lumpur, London, Las Vegas, Leipzig, Madrid, Melbourne, NYC, Rio, Sheffield, San Francisco, San Jose, Sydney, Tallinn, Vienna, Zurich...

He's been on advisory boards of TEDx Istanbul, SMWF UK, Apps World, and judged & AIB awards, Social TV Awards Hollywood, TV Connect & IPTV Awards.

A versatilist & autodidact, his leadership ability, divergent and synthetic thinking skills evolved from sailing the world 24000 miles+ offshore in his 20′s on sailboats under 12m.

He spent 10 years in the Caribbean media & boating industry as a professional sailor before returning to Europe, to Holland.

A Creative Technologist and Canadian (Dutch/Irish/English/Metis) his career began in the Canadian Native Press and is now a columnist for The Association for International Broadcasting and writes for Wired, The Guardian & Virgin. His writings have been translated into Polish, German and French. 

One of Kastelein's TV formats was optioned by Sony Pictures Television in 2012. 

Currently involved in a number of startups including publishing TV App Market online, The Hackfest and Tripsearch TV. As CSO for Worldticketshop he helped build a $100m company.

Other Sites

Social Media


About Us

TV Hackfest London 2013
TV Hackfest San Francisco 2014
M2M Hackfest 2013

Hackfest Twitter
TV App Market Facebook
TV App Market Linkedin
TV App Market Google+

Developer News
Enterprise Apps News

Digital Marketing News
Telecoms News
Cloud Computing News

This email address is being protected from spambots. You need JavaScript enabled to view it.
About us
Write for TV App Market