SDA India is an online resource for Software, Development,IT, Architecture, Open Source, Mobile, Security, Databases, Delphi, C, OS, Asp, .Net, Php, Xml, Java
From the News Desk
Thursday, 20. December 2007
Worm Strikes Google’s Orkut Infecting Hundreds
Google's Orkut social networking site appeared to have been hit by a relatively harmless worm, but one that demonstrated the continuing vulnerability of Web applications.
The worm, which used Flash-based JavaScript malware and took advantage of an XSS vulnerability in Orkut, added the victims to its rogue Orkut community, reportedly called "Infectados pelo Virus do Orkut," which had captured hundreds of thousands of involuntary members.
Scraps, or message posts to an Orkut user's profile, were the main culprits. Victims either got alerts from Orkut that they had a new entry to their scrapbook, or received emails from other Orkut friends who also had been infected. The worm was adding members to its rogue Orkut community at a rate of about 100 per minute at one time during the attack.
Orkut fixed the XSS bug earlier today, but according to OrkutPlus, a security community within the social network, the vulnerability was still active in Orkut's so-called sandbox profiles. Google's Orkut sandboxes are closed "containers" for Orkut members, such as developers testing out applications.
According to McAfee researcher Vinay Mahadik, the worm is abusing the ability to add JavaScript content to Orkut Scrapbook entries, a feature that was only recently introduced by Google.
"This clearly illustrates the issue with allowing rich-content on social/professional networking sites, and not sanitizing it enough," said Mahadik.
This is the second major worm attack to take aim at a popular social network. In October 2005, the Samy worm used cross-site scripting techniques to spread through MySpace, infecting more than a million users in less than a day.
The worm, which used Flash-based JavaScript malware and took advantage of an XSS vulnerability in Orkut, added the victims to its rogue Orkut community, reportedly called "Infectados pelo Virus do Orkut," which had captured hundreds of thousands of involuntary members.
Scraps, or message posts to an Orkut user's profile, were the main culprits. Victims either got alerts from Orkut that they had a new entry to their scrapbook, or received emails from other Orkut friends who also had been infected. The worm was adding members to its rogue Orkut community at a rate of about 100 per minute at one time during the attack.
Orkut fixed the XSS bug earlier today, but according to OrkutPlus, a security community within the social network, the vulnerability was still active in Orkut's so-called sandbox profiles. Google's Orkut sandboxes are closed "containers" for Orkut members, such as developers testing out applications.
According to McAfee researcher Vinay Mahadik, the worm is abusing the ability to add JavaScript content to Orkut Scrapbook entries, a feature that was only recently introduced by Google.
"This clearly illustrates the issue with allowing rich-content on social/professional networking sites, and not sanitizing it enough," said Mahadik.
This is the second major worm attack to take aim at a popular social network. In October 2005, the Samy worm used cross-site scripting techniques to spread through MySpace, infecting more than a million users in less than a day.
