Fascinating read… the bad guys “never sleep”, neither should us.
The “custom payload” that Hacking Team uses to compromise YouTube injects malicious code into the video stream when a visitor clicks the play button. The user sees the “cute animal videos” he expects, according to Citizen Lab, but the malicious code exploits a flaw in Adobe’s Flash video player to take control of the computer.
Another attack, custom-built for use on Microsoft pages, uses Oracle’s Java technology, another common browser component, to insert a back door into a victim’s computer.
Security and privacy advocates have identified those vulnerabilities before, but the two companies regarded them as hypothetical. In response to a bug report in September 2012, which warned of a potential YouTube attack, Google’s security team responded that the use of unencrypted links to send video “is expected behavior.” Google closed the discussion with the tag “WontFix.”