Twitter and Orkut XSS worms in the news

Written by DP

Monday, 27 September 2010

I know it is a little late to mention these XSS worms, but they made numerous headlines last week...
Twitter "OnMouseOver" XSS worm in the news. Jean-Pierre Vincent aka "braincracking" is a french web security researcher who submitted the "OneMouseOver" Twitter XSS to the archive. His exploit simply redirects to a non-existing URL for demonstration purposes.
Twitter has been XSSed many times in the past and most of the XSS attacks occured during last summer.
Orkut worm in the news
Orkut has been hit by a worm named 'Bom Sabado', which means 'Good Saturday' in Portuguese. This XSS worm posted scraps to the Orkut users with the text Bom Sabado and added affected users to new Orkut groups. Orkut has suffered from other vulnerabilities in the past, including XSS(mirror), script insertion(mirror), information disclosure, and a worm which propagated malware:
Both security issues affecting the popular social networking sites were exploitable due to insufficient input validation which allowed for malicious and non-malicious XSS attack worms to take place.
Twitter's security team has confirmed the XSS flaw is fixed.
Google's security team has confirmed the same: 

"Hi all,

This is to inform you all that we’ve contained the “Bom Sabado” virus and have identified the bug that allowed this and have fixed it.We’re currently working on restoring the affected profiles.Thanks a ton to each of you who’s made an effort to alert everyone else about this. I’ll make sure to keep you guys posted on more updates."

Related News on XSSed about Orkut:


Home | News | Articles | Advisories | Submit | Alerts | Links | What is XSS | About | Contact | Some Rights Reserved.