This type of attack is called an XSS attack.
You execute a script using one of the websites functions, in this case the comment box.
XSS can be client sided or server sided.
Client sided:
Client enters a command / JS function to execute into a form or URL
Server-sided:
Client programs a script to input certain values into the form at the targets website
In this case, many people injected the personal JS file for the video with their code.
To display a message through a vulnreable website using XSS an attacker would execute the following code;
<script>
function show_alert() {
var msg = "Warning you haz a virus dude! GTFO";
alert(msg);
</script>
Personally i could have never imagined YouTube had an XSS vulnreability after all these years... I doubt there's gonna be any more found since YouTube is on high alert for these type of attacks and they've hired some people to check the site to maintain security.
Hopefully the information i have just provided does not go to any type of illegal use and I am not responsible if in any case it does go to illegal use.
4chan = 1
