The BBC reports on how YouTube has been forced to fix a flaw allowing hackers to bombard users with fake pop-up messages and redirect them to adult sites.

Hackers placed code in the comments section, under targeted videos, that would run when people watched the clip. In some cases, a pop-up screen appeared reporting that the Canadian singer, Justin Bieber, had died in a car crash.

Google, which owns YouTube, said that it had fixed the problem “about two hours” after it was discovered. “We took swift action to fix a cross-site scripting (XSS) vulnerability on youtube.com,” a spokesperson said. “Comments were temporarily hidden by default within an hour, and we released a complete fix for the issue in about two hours.

Cross-site scripting (XSS) vulnerabilities are relatively simple attacks that allow hackers to place code into web pages. In the YouTube incident, hackers used JavaScript code and HTML, both commonly used on web pages.

Security experts said that although in most cases the code was relatively benign, it has been used for more malicious purposes such as phishing, a common tactic used by cybercriminals and involves using fake websites to lure people into revealing details such as bank accounts or login names.

Google said it was “continuing to study the vulnerability to help prevent similar issues in the future”.

When the vulnerability was first reported, rumours suggested that YouTube was infected with a virus.

Access the original article online at: http://news.bbc.co.uk/1/hi/technology/10506150.stm