Share this Article
Yes - it's certainly an issue that's not been discussed much in TV/Web convergence circles. But open standards and technologies porting over from the Web to TV will mean extra security concerns as hackers could conceivably take over one's TV sets with the right conditions. Let's start with a fact. Youtube is not like Android - it is not open source software. It is reasonably open however, and does have API's available. But it is web-based and apparently has had some vulnerabilities exploited by creative hackers over the years.
One of the key issues is that opening up software is that it exposes some or all of the source code to examination by everyone, both the attackers and defenders, and there's been a debate going on for years on the ultimate impact of this situation. On the proprietary side, they argue that a system without source code is more secure because there's less information available to a hacker. Makes sense in a way. Except for the fact that hackers generally don't need source code to find vulnerability.
If software is created using open standards, public scrutiny and rabid community members are more apt to improve its security but... just because a program is open it doesn't magically mean it's secure. And just because software is encrypted and proprietary, does not mean it does not have vulnerabilities. There are far fewer minds at work on a proprietary project than there are on an open one... less testing, less debugging, less resources available.
And this argument has been hashed out in the developer community with most experts agreeing that open standards has the greater ability to be more secure. However, open source developers are considered by some to be too much "hacker" and too little "engineer. But it's not the engineers who hack... it's the hackers. And how better to protect yourself than with guys who know how the others think? Why do you think top hackers go on to top security jobs in the business?
And Eric Raymond's "many eyeballs" maxim or Linus Law - which is that the number of bugs found in a piece of software correlates to the number of people looking at the code which he wrote about in The Cathedral and the Bazaar.
Those on the other side of the fence argue the following questions:
Are those eyeballs looking for security problems, though? Do they have any compelling incentive? Are they doing it in a structured way? Do they have a reason to focus dozens or hundreds of hours on the problem to approach the level of effort generally given to a paid audit?
This of course, dovetails into the whole reason of why Connected TV players and other convergence models around TV are looking at open models such as the iPhone app store and Facebook application community as models for innovation and a huge increase in scalability as being the perennial carrot on the stick. But security is also a huge concern. The last thing our emerging industry needs is a huge backlash on security issues. The inside joke in the app industry is that Facebook's Zuckerberg has 50,000 coders working for him on 'Spec'. And that's an enticing scenario for any company to mull over - Connected TV or not. He's expecting a billion users on Facebook in the near future. That's one seventh of the world population. Lady Gaga has ten million followers herself. That kind of reach was influenced by Facebook's app strategy and their move to open up some code.
Back to the hack in question.
"The thing with a cross-site scripting attack is that it will appear that it is a message being posted by that website, which gives it a certain legitimacy.
Slashdot,a tech forum noted:
"Several hours ago, someone found an HTML injection vulnerability in YouTube's comment system, and since then sites such as 4chan have had a field day with popular videos. The bug is triggered by placing a <script> tag at the beginning of a post. The tag itself is escaped, but everything following it is cheerfully placed in the page as is. Blacked out pages with giant red text scrolling across them, shock site redirects, and all sorts of other fun things have been spotted. YouTube has currently blocked such comments from being posted and set the comments section to be hidden by default, and appears to be in the process of removing some of these comments, but the underlying bug does not seem to have been fixed yet."
In a press release Google noted when it was fixed and commented:
“We took swift action to fix a cross-site scripting (XSS) vulnerability on youtube.com that was discovered several hours ago. We’re continuing to study the vulnerability to help prevent similar issues in the future.”