Orkut XSS worm infected 400,000 users

Daniel Nyström — Wed, 19 Dec 2007 12:58:54 +0000

Seems like Orkut (the google social networking site) got hit with a pretty nasty XSS worm.

It did not do anything malicious (fortunately) to the users whose profiles were infected, but probably caused a quite high load on the Orkut systems and joined all infected users into a group called “Infectados pelo Vírus do Orkut“.

The description of that particular group described the motivation for the hack and the main point seems to be the illustration of the insecurity in web applications such as Orkut.

For more information, including source code for the virus, see: Antrix.net or GNUCITIZEN’s posts on the subject.

These kinds of issues are raising serious concerns over services such as “Google Docs” (online office applications) and the upcoming gDrive and one might pose the question:

Do you trust Google with your data?

** Update **

More reading regarding this incident:

Sylvan von Stuppe - Orkut Worm
Arbor Networks - Orkut XSS Worm
SophosLabs - Large scale Orkut virus outbreak not cool
TrendMicro - Orkut/Google worms Compromise over 400,000 accounts

Cheers,

Firefox JAR: vulnerability - quick summary

Daniel Nyström — Thu, 15 Nov 2007 00:22:24 +0000

For those of you that has not been following the computer security news and blogs there is a new vulnerability in town, and it’s nasty.

The problem lies in the jar: protocol implementation used by Firefox and it enables an attacker to conduct XSS and gives them almost limitless possibilitys for malware hosting.

This is an example URI which exploits the issue:

jar:http://www.icmpecho.com/myjarshrine/yarihooo.jpg!/malwareloadingscript.html

Now, instead of copying others work which they have probably spent hours or more on to explain the issue in full, I’ll give you a short recap of the happenings and more and more exposing blog posts:

2007-02-08 - Jesse Ruderman logs the bug in the Mozilla bugzilla tracker. It remains unpatched and not widely known until…2007-11-07 - Researcher pdp discusses the issue and potential impact at GNUCitizen. This opens this bug up to a whole new audience and…2007-11-10 - Beford illustrates the seriousness of this issue and issues in the same family by targeting Google and Gmail and posts a new bug entry.2007-11-10 - And then Mario posts at GNUCitizen about other attack vectors including malware- and exploit-hosting.

During these last days we have also seen some very strange recommendations from leading scurity experts at ZDNet, Secunia and US Cert (and one at The register as well) as the most excellent Giorgio over at the Hackademix blog.

The problems with the recommendations given by these persons and/or organisations is mainly that the recommend blocking URI’s containing JAR: in webfilters and deep packet inspecting firewalls or avoid following “jar:” links.You should understand why this would be a total waste of time if you have read the above articles and in particular Giorgio’s comments on the issue.

Also you should know why if you have seen one page load another like in most web based exploits (Including the one on the Swedish Parliament’s websites this week (swedish link, sorry)). My feeling is that the first advisories were rushed out “to be first in the corporate sector” and sloppy research took its toll.

If you do want to protect yourselves for real, you might wanna download and install the NoScript extension to Firefox which also handles JAR.

Happy times!

ICMPECHO » xss

Orkut XSS worm infected 400,000 users

Firefox JAR: vulnerability - quick summary