Anushakti Nagar

The second major XSS (cross-site scripting) attack on a major social networking service this week, Google owned Orkut was flooded with "Bom Sabado" scraps.

Looks like it's a bad time for all major social networks out there. Recently, Twitter faced an attack by hackers after a security flaw was unearthed by a user. Soon after, Facebook saw its worst downtime in four years and now its Orkut's turn to be under attack by a worm known as Bom Sabado.

The word "Bom Sabado" means "Good Saturday" in Portuguese, which is the also the official language of Brazil, one of the last remaining Orkut bastions in the world. The worm appears to have originated in Brazil, where Orkut is still exceptionally popular and also with a significant number of users in India too. While it may be small compared to Facebook (which boasts of half a billion users), 52 million active Orkut users is, by no means, a small number.. Many of the affected users are noticing the Brazilian flag on their status messages. Additionally, the word ‘Bom Sabado’ means ‘Good Saturday’ in Portuguese, which is the official language of Brazil. We are still awaiting an official response from Google.

The worm seems to be posting scraps with the text "Bom Sabado" and also adding affected users to new Orkut groups. Such XSS attacks have targeted Orkut in the past too.

Anyway, as for the Bom Sabado worm, it is a JavaScript based worm that spreads itself through Orkut scraps (the Orkut equivalent of a Facebook wall scribble). The worm is an auto generated message which might look like just another scrap from your buddy. The scrap actually embeds a malicious JavaScript code which infects the profile of the person as soon as he opens the scrap page. Soon after this, the code is executed and it will make the user join bot communities automatically. The worm then starts posting similar scraps to the user's friends using his name, thereby spreading itself. The worm also steals browser cookies.

How it works?
When any one opens a orkut  page that is infected by this worm,a javascript will run automatically on that page. Your browser will be hanged for some minutes or seconds. That script will automatically join you some communities.

Community ID numbers: 106698808, 558494, 106698628, 106691341

Some of the communities you can see are :

After joining communities it will send scrap to your friends with text “Bom Sabado!” with a iFrame code which load that javascript again for your friends and they will join communities and send links to their friends.

Experts have advised users to avoid logging on to Orkut till Orkut engineers fix the hole and also not to click on any suspicious links. Orkut had just last month announced new updates to the website.

For Preventive measures you can do the following:

1. Delete all of your cookies of your browser.
2. Log on to orkut account. (Never click on scrap book link.)
3. Revert back to orkut's old theme.
4. Log out from your account.
5. Delete all of your cookies of your browser.
6. Login to https://www.google.com/accounts/Login
7. Change your password.
8. Again Delete all of your cookies of your browser.

If you use firefox then there is no problem there is a plugin for firefox to stop all scripts. It is Noscript Firefox plugin to stop running any script on the page . Install the script from here.

If you don't have latest version of firefox download it here.

Mozilla Firefox is faster and safe. Mozilla Firefox is much much faster than Internet Explorer or any other browser like Opera, Google Chrome(Only useful for Orkut) or Safari. So many plugins are available for better utilisation of Firefox browser and the use of plugins will make Mozilla Firefox more user friendly. Once you try this, you will never go back to Internet Explorer. Download latest version of Mozilla Firefox from HERE or click the image left side. Thank you for using Firefox.