XSS Worm Hits Orkut

January 24th, 2008 Filed Under: Uncategorized


Get 1st Month Free. Use Coupon webhostingunleashed



I am not a big fan of social networking websites but do visit them just for connectivity with friends. Recently a massive worm called Rodrigo’s worm hit the Orkut server to show the vulnerabilities in the Orkut.. Here’s the review

  1. On Orkut, you can use arbitrary HTML when scrapping your friends. Rodrigo’s worm exploited this ‘feature’. What it did was to start with scrapping a malicious flash file. Just viewing this scrap causes the flash object to load which in turn loads our favourite virus.js file. The Javascript code in that file first joins you in the community called Infectatos pelo Virus do Orkut (in English - Infected by the Orkut Virus) and then sends the same flash file as a scrap to as many people in your friends list as possible. So when each of your friends sees their Scrapbook, they in turn start propagating the worm to their friends, etc.
  2. Friends don’t let friends use raw HTML would be a good maxim for everyone to follow ;-)
  3. It’s fair to say that almost every member of that community was an involuntary signup. So based on the reported peak size of the community, more than 655,000 users were affected.
  4. The attack was apparently without malicious intent and done just to highlight the security problems with such networking sites. Although the motives might by clean, I question the modus operandi. McAfee folks have named this W32/KutWormor.
  5. This post got linked from various places including several bloggers, News.com, ZDNet and Valleywag(!). But, like Valleyway points out, if this had happened on MySpace or Facebook, it would be all over the US media.
  6. No official word from Orkut yet on this except this reply in a forum thread. Amusingly, the list of suggestions offered in that reply to ’stay safe’ wouldn’t have helped at all with this worm! This worm would have worked anyway unless you had Flash and/or Javascript disabled.
  7. Curiously enough, the official Orkut blog got a new post during/after this incident but the post says absolutely nothing about what happened!
Share Your Love
  • Digg
  • Sphinn
  • del.icio.us
  • Facebook
  • Mixx
  • Google
  • YahooMyWeb
  • Design Float
  • TwitThis
  • StumbleUpon
  • Blogosphere News
  • Technorati

Leave a Reply

Valid XHTML | Designed by Techytuts.com
CopyRights Reserved © Techfreaks