The Latest Orkut Worm, Rodrigo Lacerda and 400,000 Members Joining One Community within 12 Hours of its Creation


Screenshot – WashingtonPost

Introduction



  • Something was wrong on orkut
  • Some members complained of joining a community which they did not do manually.
  • Surprisingly, the community featured 400,000 members in 12 hours of it’s creation

» How Did it Happen?



You read about our warning, an XSS in the scrapbook. Evil minds used this for unethical purposes, but one mind thought the other way. He used this flaw to create a history, turning orkut upside down and leaving them puzzled for sometime.

» What Was in His Mind?



Rodrigo wites, August 8, 2006 he came to know about an XSS flaw on orkut but at that point of time he didn’t possess perfect programming skills to exploit the hole. He says, at that time he wanted to hack as many communities and profiles as he could on orkut. The hole was fixed soon.

December 19, 2007 , he came across a similar XSS hole and this time he had proper programming skills to do what ever he wanted to. But his state of mind was a bit different this time. His attempt was not to hack or hurt anyone but wanted to show how destructive this can be if used for evil purposes. He created a fake community – Infectados by Virus Orkut which has hit the headlines everywhere.

» 12 Hours, and the Community with 400,000 Members – How Did He Do It?


  • Member Received a Scrap
  • That scrap had an embed code.
  • That code embed a JavaScript, which was decompressed twice.
  • The JavaScript performed following functions:

It Automatically Joins a Member to a specific community
Member unknowingly sends scrap all to all his friends – with that code embed
Scrap is then deleted automatically.

  • So all his friends would do the same and thus, it was a fire spreading rapidly.
  • This came to a halt, when orkut finally fixed the XSS.

Gaurav DuaOrkut Guru546 Points
22, Webmaster and Businessman. Based in Jammu, J&K – India
Gaurav has written 514 Articles, posted 323 Comments.

this ad is sponsored by the author (learn more)

this ad is sponsored by the author (learn more) Facebook Plus!

Loading

Tags - Cross Site Scripting, Orkut News, Security

  2 Comments on this Article.



  1. [...] Orkut Plus Tags: orkut / robak / [...]


  2. [...] is orkut’s way of curbing spam and execution of malicious javascripts or keyloggers and virus [...]

Leave a Reply