December 18-19 2007 was like a nightmare for orkut. Some bad code was executing behind the browsers of orkut users.This is about the worm outbreak which affected more than 600000 orkut users within a night. Although the worm was relatively harmless, it just demonstrated again, how disastrous a simple flaw can become, if it concerns persistent XSS. These days you may get a lot of search results if you search for "orkut scrapbook xss", but at that time the news wasnt that widespread.It was received as a hot cake by many who were in search of a good XSS to be discovered. And the only source of information was a few hacking communities on orkut and of course the infected scrapbooks.
Well for the first time when I heard of that embedded flash XSS I was a bit perplexed, I knew few things about XSS and I didnt even know how to embed a flash object in someone's scrapbook. When Orkut introduced the concept of embedding flash objects in scrapbooks, i never had a look on it, may be I never knew about the possibilities of XSS involved while embedding flash objects or simply because I wasnt interested in making flashy colorful scraps to orkut friends. But the vulnerability wasnt a very incredible one. If you search about flash XSS in general, you will find many good articles discussing about the common errors that can happen. And even one of these articles date back to 2003. So the concept isnt very new. Orkut embedded flash XSS vulnerability seems just to be another case.Even other social networking websites like Myspace was hit by a flash worm in 2006. But the functionality of Myspace worm was far different from this worm.
The worm didnt do any harm to anyone, even if you dont know much about the technical workings of traditional viruses and worms, still you can have an idea on how web based worms work.
Here is the modus-operandi of the orkut worm...
1.It will appear in a scrapbook as a scrap
As for the technical details, the injection of code in this case reminds me of SQL injections. When you are embedding a flash object in the scrapbook, it is required that you paste the exact html code for embedding a flash object. Orkut handles the code in its own way and makes it appear in the scrapbook. Though I am not great at embedding flash files in html, but I know where the problem occurred. Suppose you are embedding a scrap with a flash file xss.swf on example.com. Then you will have to paste the following code in the scrapbook.
<embed src="http://example.com/xss.swf" type="application/x-shockwave-flash" wmode="transparent" width="10"
After submitting the scrap. You can view the source of scrapbook and you will find the orkut implemented code:
For example we could replace the "transparent" by "transparent');alert('xss" . So that our scrap to be posted looks like this.
<embed src="http://example.com/xss.swf" type="application/x-shockwave-flash" wmode="transparent'); alert('xss" width="10"
and after posting, in the scrapbook source it would look like this...
See the alert box looks so beautiful when embedded successfully in orkut page code.:D
This is just an explanation of how the problem occurred and how it was exploited. If you try it now then orkut will successfully filter it out. The correction was made pretty quickly, i think it didnt took more than 2 days. As I already told you that orkut is getting smart day by day.
If you have a question that how can we protect ourselves from such web-based worms? Or how can we ensure that harmful scripts dont run on our browser..then the answer is that there is no such full proof solution. One thing that I didnt mention till now is perhaps the most imporatnt thing I wanted to focus on. Despite the widespread effect of worm and so many of my orkut friends getting infected and unknowingly joining the community "Infectados pelo Vírus do Orkut", I didnt get a single infection. Though I searched like hell on orkut and unknowingly visited infected scrapbooks, I was still not infected. My browser doesnt allow any kind of hidden code to run on my machine without my permission.
Special Thanks to Mr. Nobody.