Orkut under Cross-Site Scripting (XSS) Attack @ tk here on Wednesday, December 19, 2007 1:32 PM
Google
You could also try tk Social Bookmarking Search or tk Video Search!

Wednesday, December 19, 2007

Orkut under Cross-Site Scripting (XSS) Attack

Right at this very moment, a cross-site script has been spreading like wildfire in Orkut communities due to a flaw in Google's Orkut.

If you've read the following scrapbook entry in Orkut

2008 vem ai... que ele comece mto bem para vc

from one of your friends, you're infected. Simply viewing the message alone is sufficient for your Orkut account to be added a new community named "Infectados pelo Vírus do Orkut" and be an unwilling new host for the worm. At the time of this writing, the number of Orkut members in Infectados pelo Vírus do Orkut is already at the 400K mark.

According to a posting made by the author of this worm, Rodrigo Lacerda, this script is not malicious in any way, well except for making you an unwitting participant of his experiment. You can verify this for yourself as someone has posted the decoded javascript source of the script at . The original is located at . Still, changing your password isn't terribly difficult.

From what I can grasp from scanning through the script, it appears to work this way. First, it'll add you to http://www.orkut.com/CommunityJoin.aspx?cmm=44001818. Next, it'll load and extract your entire friends list and send itself to them, thus completing the infection cycle. It is able to do this because of the fact that Orkut allows HTML to be inserted into scraps.

Apparently "2008 vem ai... que ele comece mto bem para vc" is roughly translated into 2008 is coming... that it begins is really good for you. It doesn't seem to look that way for Orkut engineers.

Edit: Btw, the excessive traffic generated by this script is partly due to the fact that it will continually attempt to contact Orkut's servers if it fails to do what it wants on the first try (force you into the above-mentioned community and load your friend's list).

Update: The original script location now returns an empty file. That should prevent any new infections from now on. Note that while many folks think that the flash file is somehow malicious, I'm quite sure that it isn't because http://www.orkut.com/LoL.aspx (source of the flash) doesn't even exist!

The embed code is simply the vector through which the malicious script is loaded. This is because it is crafted in such a way that your browser will parse and execute the javascript contained in the embed code. Hence the best way to mitigate this would be to use the rather than , since javascript is the real culprit here.

Btw, you should thank Rodrigo Lacerda for highlighting this vulnerability in such a manner.

Sources:
[]
[]

 

6 people had something to say! Why don't you join in? The more the merrier!

On 01 May, 2013 21:24, Anonymous said...

Oh my goodness! Impressive article dude! Thank you, However I am having issues with
your RSS. I don't understand the reason why I cannot join it. Is there anybody getting the same RSS issues? Anyone who knows the answer can you kindly respond? Thanx!!

My site: bmi chart male

On 12 May, 2013 02:38, Anonymous said...

My brother recommended I might like this website.
He was entirely right. This post truly made my day. You cann't imagine just how much time I had spent for this information! Thanks!

Take a look at my web page ... dj nunta

On 19 June, 2013 06:51, Anonymous said...

Published: Tuesday, April 8, 2008 11:07 AM CDT Following the January reports of unidentified flying
objects over Dexter Missouri Nutrition Center, causing a worldwide stir among curious journalists and UFO enthusiasts.


Also visit my web page; zachariah hedrick

On 11 June, 2014 16:49, Anonymous said...

I'm extremely impressed together with your writing talents as well as with the structure to your blog.
Is this a paid theme or did you modify it yourself?

Either way stay up the excellent quality writing, it is uncommon to
see a great weblog like this onee today..

Take a look at my website; ihacktivation

On 21 June, 2014 00:43, Anonymous said...

My family all the time say that I am killing my time here at net, except I know I
am getting experience daily by reading such good content.


Also visit my blog post ... top ten web hosting company in india

On 01 July, 2014 05:56, Anonymous said...

Most of the new functions appear too-much like social media giant Facebook.
Many individuals ignore this quite simple phase.

No commandline scripts and no lousy dark DOS-like monitor!



my site :: whatsapp for pc windows xp free download

Google
You could also try tk Social Bookmarking Search or tk Video Search!