Software // Information Management
News
12/20/2007
02:50 PM
Connect Directly
LinkedIn
Twitter
Google+
RSS
E-Mail
50%
50%

Google Exterminates Its 'Orkut' Worm

The attack worked because the social networking site allowed users to embed Flash content in their scrap posts.

Google says it has repaired a security issue in its Orkut social networking site that allowed a worm to propagate among at least 400,000 Orkut users.

"Google takes the security of our users very seriously," a company spokesperson said in an e-mail Wednesday evening. "We worked quickly to implement a fix for the issue recently reported in Orkut. We also took steps to help prevent similar problems in the future. Service to Orkut was not disrupted during this time."

Orkut, Google's first pass at social networking, was launched in January 2004 and named after its creator and Google employee, Orkut Buyukkokten. The site is reported to have in excess of 67 million registered users overall. By comparison, MySpace boasts 110 million users.

On Wednesday afternoon, Trend Micro antivirus engineer Robert McArdle published a blog entry warning that a worm was replicating itself across Orkut using a Flash object that invokes malicious JavaScipt code.

"The attack works due to Orkut allowing users to embed Flash content in their scrap posts (although it does filter for normal XSS techniques)," said McArdle in a blog post. "The author appears to have created a SWFObject that calls the malicious JavaScript and was able to use this to bypass Orkut's filters."

The attack began as an e-mail message alerting Orkut users that they have a new Scrapbook (guestbook) entry. Viewing that entry is sufficient to initiate malicious JavaScript that sends a copy of the infected entry to the Orkut user's contacts, thereby putting them at risk of infection.

According to McArdle, the worm was a proof-of-concept attack. "The possible implications of a more malicious attack in the future however are much more worrying," he said.

A number of security firms and organizations have warned that social networking sites are likely to be exploited more frequently in 2008. "Social networking is a new risk," said GetSafe Online, a U.K. security organization backed by the government and tech companies, in conjunction with a November press event. "Twenty-five percent of people surveyed shared confidential information with strangers on social networking sites."

Comment  | 
Print  | 
More Insights
The Agile Archive
The Agile Archive
When it comes to managing data, don’t look at backup and archiving systems as burdens and cost centers. A well-designed archive can enhance data protection and restores, ease search and e-discovery efforts, and save money by intelligently moving data from expensive primary storage systems.
Register for InformationWeek Newsletters
White Papers
Current Issue
InformationWeek Tech Digest - July10, 2014
When selecting servers to support analytics, consider data center capacity, storage, and computational intensity.
Flash Poll
Video
Slideshows
Twitter Feed
InformationWeek Radio
Archived InformationWeek Radio
Join InformationWeek’s Lorna Garey and Mike Healey, president of Yeoman Technology Group, an engineering and research firm focused on maximizing technology investments, to discuss the right way to go digital.
Live Streaming Video
Everything You've Been Told About Mobility Is Wrong
Attend this video symposium with Sean Wisdom, Global Director of Mobility Solutions, and learn about how you can harness powerful new products to mobilize your business potential.