Saturday, September 25, 2010

Bom Sabado - The orkut virus !!

If you are still one among those who give a damn about orkut, then this might be one thing that your really care about. Today, orkut has been hit by a vulnerability that is really a security threat for your account.

Bom Sabado - The orkut virus !!


The virus is called "Bom Sabado", meaning "Good Saturday" in portugese. This is yet another XSS attack, thereby making it the second XSS attack on a major website this week. Earlier this week, Twitter faced a similar attack. There is no official update from google yet on this issue.

What does it do?

When you open orkut and if you are affected by this virus (which could be possible if one of your friends are already affected), a piece of javascript will automatically run doing the following:

  • Makes your browser hang for a moment

  • Adds you to the attacker's communities (orkut equivalent of facebook fan pages) without your consent

  • Sends a scrap (orkut equivalent of facebook wall) to all your friends without your consent, with the text "Bom Sabado" and a piece of code that will do the same set of actions when your friend log in to his/her account



How to prevent this?

  • Unlike the twitter XSS attack, this is a severe one that steals your cookies and thereby impersonate your session. If you have logged in to orkut anytime today, clear your cookies and cache of your browser.

  • To be safe, change your google account password and security question. To do this, go to https://www.google.com/accounts

  • Do not visit orkut until google officially says that they have fixed it. For updates, keep looking here

  • If your account seems to be behaving crazy or if its totally compromised, then see here for a solution.

  • Delete your orkut account and join facebook !



I badly want to use orkut now!

If you badly want to use it now, then you can use this minor hack to do that. The virus seems to be loading the malicious javascript code from tptools.org and hence you can tweak this to point to something else in your hosts file.

Edit your hosts file (Windows - C:\windows\system32\drivers\etc\hosts; Linux - /etc/hosts) and add the following lines:
127.0.0.1 tptools.org
127.0.0.1 www.tptools.org

This tweak will make tptools.org will to resolve to your own system and hence the javascript will fail to load. Note that you are at your own risk, i am not responsible if your account gets compromised even after you make this tweak !!

I will try to update this post once there are some official responses from google.

-Vignesh