Google Exterminates Its 'Orkut' WormGoogle Exterminates Its 'Orkut' Worm

The attack worked because the social networking site allowed users to embed Flash content in their scrap posts.

Thomas Claburn, Editor at Large, Enterprise Mobility

December 20, 2007

2 Min Read
information logo in a gray background | information

Google says it has repaired a security issue in its Orkut social networking site that allowed a worm to propagate among at least 400,000 Orkut users.

"Google takes the security of our users very seriously," a company spokesperson said in an e-mail Wednesday evening. "We worked quickly to implement a fix for the issue recently reported in Orkut. We also took steps to help prevent similar problems in the future. Service to Orkut was not disrupted during this time."

Orkut, Google's first pass at social networking, was launched in January 2004 and named after its creator and Google employee, Orkut Buyukkokten. The site is reported to have in excess of 67 million registered users overall. By comparison, MySpace boasts 110 million users.

On Wednesday afternoon, Trend Micro antivirus engineer Robert McArdle published a blog entry warning that a worm was replicating itself across Orkut using a Flash object that invokes malicious JavaScipt code.

"The attack works due to Orkut allowing users to embed Flash content in their scrap posts (although it does filter for normal XSS techniques)," said McArdle in a blog post. "The author appears to have created a SWFObject that calls the malicious JavaScript and was able to use this to bypass Orkut's filters."

The attack began as an e-mail message alerting Orkut users that they have a new Scrapbook (guestbook) entry. Viewing that entry is sufficient to initiate malicious JavaScript that sends a copy of the infected entry to the Orkut user's contacts, thereby putting them at risk of infection.

According to McArdle, the worm was a proof-of-concept attack. "The possible implications of a more malicious attack in the future however are much more worrying," he said.

A number of security firms and organizations have warned that social networking sites are likely to be exploited more frequently in 2008. "Social networking is a new risk," said GetSafe Online, a U.K. security organization backed by the government and tech companies, in conjunction with a November press event. "Twenty-five percent of people surveyed shared confidential information with strangers on social networking sites."

Read more about:

20072007

About the Author

Thomas Claburn

Thomas Claburn

Editor at Large, Enterprise Mobility

Thomas Claburn has been writing about business and technology since 1996, for publications such as New Architect, PC Computing, information, Salon, Wired, and Ziff Davis Smart Business. Before that, he worked in film and television, having earned a not particularly useful master's degree in film production. He wrote the original treatment for 3DO's Killing Time, a short story that appeared in On Spec, and the screenplay for an independent film called The Hanged Man, which he would later direct. He's the author of a science fiction novel, Reflecting Fires, and a sadly neglected blog, Lot 49. His iPhone game, Blocfall, is available through the iTunes App Store. His wife is a talented jazz singer; he does not sing, which is for the best.

See more from Thomas Claburn
Never Miss a Beat: Get a snapshot of the issues affecting the IT industry straight to your inbox.
SIGN-UP

You May Also Like

More Insights
Webinars
More Webinars
Reports
More Reports

Editor's Choice

A group of smiling college graduates celebrating their graduation.
IT Leadership
Why Liberal Arts Grads Could Be the Best Programmers of the AI Era
Why Liberal Arts Grads Could Be the Best Programmers of the AI Era

Jan 17, 2025

Flame front of the Eaton Fire on the first night during the January 2025 California wildfires in Altadena and Los Angeles
IT Sectors
How Tech Supports the Emergency Response to the LA County Wildfires
How Tech Supports the Emergency Response to the LA County Wildfires

Jan 16, 2025

Graphic Pop Art style Illustration of Keanu Reeves as NEO from the film, The Matrix
IT Infrastructure
Y2K and Infrastructure Resilience 25 Years Later
Y2K and Infrastructure Resilience 25 Years Later

Jan 7, 2025

Young businessman working on a virtual screen of the future and sees the inscription: Now hiring
IT Leadership
Help Wanted: IT Hiring Trends in 2025
Help Wanted: IT Hiring Trends in 2025

Nov 20, 2024

Cobol programming language software development concept on vitual screen.
IT Leadership
Untangling Enterprise Reliance on Legacy Systems
Untangling Enterprise Reliance on Legacy Systems

Jan 21, 2025

Webinars
More Webinars
White Papers
More White Papers
Reports
More Reports