Google-owned social network sees 400,000 users hit by XSS attack

By

Attack on Orkut required no user interaction.

The Brazilian social network Orkut has been hit by a cross-site scripting (XSS) vulnerability that affected around 400,000 users.

Kaspersky Lab's Fabio Assolini said that the Google-owned website, used by 26 million Brazilians, was hit by an attack that requires no user interaction to be compromised.

He said: “You simply need to log into your profile and go visit a friend's profile. If you have a small picture of the Brazilian flag in your scraps section and so does your friend, you will be infected. When infected, this message calls an external JavaScript file and runs it.

“Everyone who is infected with this script is being added silently to a community called ‘Infected by the Virus of Orkut', which registers all of the users compromised by this new vulnerability.”

The description of the community translates as ‘You arrived here by a serious security vulnerability in Orkut. This vulnerability has already reported to Google and must be fixed soon. This community only has the intention of forcing a quicker fix'.

An update said that after more than 400,000 users were affected, Google fixed the XSS flaw.

See original article on scmagazineus.com


Got a news tip for our journalists? Share it with us anonymously here.
Copyright © SC Magazine, US edition
Tags:
000byhitnetworkorkutsecurityseessocialusersvulnerabilityxss

Sponsored Whitepapers

Modern Identity for SAP and Beyond: Replace SAP IDM with Saviynt
Modern Identity for SAP and Beyond: Replace SAP IDM with Saviynt
Saviynt Simplifies GRC and Access Control for SAP and Beyond
Saviynt Simplifies GRC and Access Control for SAP and Beyond
Futureproof Your Business with Datacom and AMD: Seamless Windows 11 Transition
Futureproof Your Business with Datacom and AMD: Seamless Windows 11 Transition
See everything. Do more.
See everything. Do more.
Lindentech Secures Digital Identity with Zero Trust and Microsoft Entra
Lindentech Secures Digital Identity with Zero Trust and Microsoft Entra

Events

Most Read Articles

NSW Police to embark on $126m IT overhaul

NSW Police to embark on $126m IT overhaul
CBA looks to GenAI to assist 1200 'security champions'

CBA looks to GenAI to assist 1200 'security champions'
Victoria's first government tech chief steps down

Victoria's first government tech chief steps down
Australia's super funds told to assess authentication controls

Australia's super funds told to assess authentication controls
techpartner.news logo
Dave Stevens on Brennan's evolution and the need for Aussie tech unity
Dave Stevens on Brennan's evolution and the need for Aussie tech unity
Sydney's ITKnocks on contact centre AI and the slow death of the IVR
Sydney's ITKnocks on contact centre AI and the slow death of the IVR
"It's an exciting time to be part of the health and aged care sector"
"It's an exciting time to be part of the health and aged care sector"
Insicon founder Matt Miller on the coming 'tsunami' of compliance and educating boards about cyber security
Insicon founder Matt Miller on the coming 'tsunami' of compliance and educating boards about cyber security
Orro claims Australia first with managed digital asset discovery service
Orro claims Australia first with managed digital asset discovery service

Log In

  |  Forgot your password?