2014-24-April-cat-talkGo ahead. Go back to your cute cat videos … and, we concede with a grimace, the sex kitten videos, too — if either happens to be your thing. 

A few weeks ago, we told you how hackers used a novel technique to get thousands of online video viewers to unwittingly bombard a B2B website with junk traffic.

Incapsula, a web security firm, said the attack resulted from a persistent cross-site scripting (XSS) vulnerability on one of the biggest and most popular video sites on the web.

Incapsula co-founder Marc Gaffan initially declined to identify the site, saying he wanted to give it time to patch the vulnerability the hackers exploited. All he would acknowledge in early April was that the site ranks among the top 50 websites in the world by traffic based on statistics from Amazon-owned firm Alexa.

That seemed to narrow it down to Youtube.com — the third largest — or Xvideos.com — the 44th largest.

Wrong!

So Who?

2014-24-April-Marc-Gaffan.jpg

It was Sohu.com, China’s eighth largest website and the 27th most visited website in the world. Wait. Who?

Sohu — which literally means "search-fox." And here we were, blaming cats.

"While being relatively unfamiliar to Western audiences, Sohu is a local and global powerhouse. This rapidly growing $2.5 billion organization provides a variety of search and content solutions, including Sohu.TV – the video streaming service that enabled the DDoS attack to occur," Incapsula researchers revealed in a update to an earlier blog post this morning.

Incapsula waited to release the name of the site until it had a chance to fix the hole that let the pain get in — specifically, malicious JavaScript the hackers embedded inside the image icons of the accounts they created. During an interview with CMSWire two weeks ago, Gaffan said "I can’t disclose the domain name in question at this time until the vulnerability is fixed."

Gaffan and his team concede they had second thoughts about the decision to withhold the name of the site.

Our disclosure of this vulnerability received extensive media coverage, which was accompanied by numerous attempts to guess the website’s identity. By far, the most popular assumption was that this story is about YouTube. While we wanted to debunk that rumor, we couldn’t allow ourselves to be drawn into a 'twenty questions' game, which would inevitably provide additional clues to the vulnerable website’s true identity." 

Now the vulnerability is patched. So the cat — fox — is out of the bag.