Orkut Scrapbook XSS Bug is Still Active!

After two days we posted about scrapbook bug and demonstration of its destructiveness  by Rodrigo Lacerda (Portuguese link) and Gaurav, it looks like orkut team haven’t got enough of it!

So on request of some of the members and also to force orkut to take this more seriously we are partially revealing the bug…

The bug is in embed tag’s src attribute! Orkut doesn’t validate if src is pointing to valid flash media file URL and thus any URL submitted as value of src attribute just get executed when user opens scrapbook! This is different than most infection where user have to generate some event like clicking on a particular region, link,  etc.

Proof of Concept 1:

Here is harmless but highly annoying code which you can put in your friends orkut scrapbook. This is the reason why some people were getting logged out of orkut just by visiting their scrapbook!



Proof of Concept 2:

More serious but harmless exploitation is a worm created by Rodrigo Lacerda (Portuguese link) which is performing following routine.

  • You read the scrap with code (infact just open the scrapbook with code)
  • Code injects javascript in your browser
  • Javascript code makes you join the community
  • Then code collect your list of friends
  • Send the scrap with the code for them!

The community which is being joined is Infectados pelo Vírus do Orkut! Just check out the community page and reload it. Look how fast the number of members increases. 🙂



Solution is in the form of flash block extension we talked about in earlier posts!


What should orkut do:

  • They should first activate CAPTCHA (i.e. image verification) for all URLs including their own. That way worm will stop spreading itself!
  • For future they should validate user input properly. XSS is most of the time result of improper validation of input. Like here they haven’t checked URL for filetype!


Update: Orkut in a official blog post claim to fix the bug! But this embed tag’s bug is still open! They might have fixed other bug which Rodrigo used!

Link: Post by Rodrigo Lacerda (in Portuguese ) | Flash Block Solution | Gaurav post | Orkut’s official blog post


ritesh kumar sinha April 3, 2008

please remove this thread as this trick can be misused ….

Rahul Bansal April 3, 2008

I appreciate your concern buddy.
I guess its fixed now. 🙂