Orkut Latest XSS Worm; and what it means for Indian Orkuteers

Update: Kishor reports a flaw in the implementation of “private” videos feature on Orkut. Although I am at office and I haven’t checked it yet myself, I believe I can trust him, based on his posts at Slackers. Nice one Kishor. 🙂

1. YAWN [Yet Another Worm, Nanny]


Orkut (Google’s MySpace and Facebook for Indian, Pakistan and Brazil) has been hit by an XSS worm. It’s useless to say but I am not able to resist, so I’ll say it anyways. It’s not the first time that a Social networking site has been attacked by an XSS worm. In fact these sites are the primary target due to a number of reasons -easier gullibility level, exponential reach, huge amount of data waiting to be harvested, web 2.0 etc. etc. etc. There’s good compilation of XSS worms going on at Slackers (Social n/w worm, or no).
Anyhoo. This incident has already been reported by a number of bloggers, so I won’t dive into the technical details. However, this worm seems to be harmless and fixed for now.

2. What it did?

If you viewed a message 2008 vem ai… que ele comece mto bem para vc in your scrapbook, there is a big probability that you’re infected. You were added to a community named Infectados pelo Vírus do Orkut at http://www.orkut.com/CommunityJoin.aspx?cmm=44001818. The worm then forwards itself to the scrapbook of all your contacts (on your behalf). Any doubts on it being exponential?

3. IT Act 2000 [pdf]

IT Act 2000 is India’s legal answer to the miscreants on the technological front. (I realize it’s a pathetic definition, so no flame on it please 🙂 ). The trouble with IT Act 2000 is that the majority of law enforcers aren’t really aware of the real life scenarios. I’ll give a real case to support the point, in a while. Although I am no law expert (just a little bit of interest), I guess I can safely say that the Act needs a few amendments to include/modify a number of issues (e.g., SPAM, etc.)

So what happens when the implementation is in nascent stage, and the enforcers are not completely eductaed?
Things get blown out of proportion. Things get painted in a completely new color. Things get… uh! fill them up yourself.

Chapter 11 of the Act defines the Offences – section 65 to section 78. For now, let’s have a look at Sections 65, and 67.
Section 65: Tampering with computer source documents.

Whoever knowingly or intentionally conceals, destroys or alters or intentionally or knowingly causes another to conceal, destroy or alter any computer source code used for a computer, computer programme, computer system or computer network, when the computer source code is required to be kept or maintained by law for the time being in force, shall be punishable with imprisonment up to three years, or with fine which may extend up to two lakh rupees, or with both.
Explanation: For the purposes of this section, “computer source code” means the listing of programmes, computer commands, design and layout and programme analysis of computer resource in any form.

Section 67:Publishing of information which is obscene in electronic form.

Whoever publishes or transmits or causes to be published in the electronic form, any material which is lascivious or appeals to the prurient interest or if its effect is such as to tend to deprave and corrupt persons who are likely, having regard to all relevant circumstances, to read, see or hear the matter contained or embodied in it, shall be punished on first conviction with imprisonment of either description for a term which may extend to five years and with fine which may extend to one lakh rupees and in the event of a second or subsequent conviction with imprisonment of either description for a term which may extend to ten years and also with fine which may extend to two lakh rupees.

I have mostly been interested in section 67 (which according to some in the law indsutry) also extends to sms service 🙂

Anyhoo. If you are interested in punishmentsm, here’s the link. Have a look. You might be serving one someday 😉

5. Case Study

There have been quite a few cases revolving around Orkut, but the one that I’ll be talking about (and is the most relevant) is the one where wrong man ( named Lakshmana Kailash K) was put behind bars for 50 freakin’ days. He’s “reportedly” involved in the defamation of Chhatrapati Shivaji, a highly revered historical figure.
In case you aren’t aware, Orkut (Google) has signed a pact with Indian Law Enforcement. They pledge to “block any ‘defamatory or inflammatory content’, or hand over IP address information to police if asked”.

So what happened in the above case?
Law enforcers are reported about the defamation of Shivaji, they contact Orkut, Orkut gives IP, law enforcers run to the ISP (Airtel in this case), Airtel provides address, Guy put in jail.
Simple. Isn’t it?

The only trouble being that Airtel provided the wrong address.
Whoops! And bang! The dude spends 50 days straight, for something he didn’t do.
Neha Viswanathan, a blogger based in UK, has a very nice write-up on the incident. Further, there’s a very nice compilation of some Cyber Crime cases in India at the IndiaCyberLab portal.

6. Putting the pieces of puzzle together

Let’s first collect all the pieces together:
1. Orkut has a pact with Indian law Enforcement.
2. Law enforcers are incompetent *cough*.
3. Orkut (or any other similar site) still has XSS and CSRF flaws in them. Period.
4. XSS and CSRF let you (among other thousand things) manipulate source code (section 65) and/or insert obscene/derogatory (section 67).
5. XSS and CSRF let you post/manipulate data on some other person’s behalf. (Orkut/Samy etc. worms did not require you to click anywhere. Just load the page and the payload in inserted in your friend’s scrapbook on your behalf).

Now combine them all, and you’ll realize that there might be a day when you just sent a “long time no scraps” scrap in your friends scrapbook and went to bed. The next day, a bunch of Cyber officers wake you up, and arrest you for defaming Bala Saheb Thakrey.

…and yes! Don’t talk about Democracy. You’ve already seen that the politicians can get away with a wrestling in parliament arena that will put WWE stars to shame. On the contrary, a chap is detained for 50 days just because the cops thought that they had enough evidence.

7. Conclusion

Stay away from social networking sites. Trust me, they are not worth the price.

16 Replies to “Orkut Latest XSS Worm; and what it means for Indian Orkuteers”

  1. Hey Bips,

    Interesting one buddy 🙂 Thanks for such an informative post. I think, this kind of awareness is needed for all the Internet users out there (esp. for those who spend most of their time hanging out on the social-networking sites 😛 .)

    This is a kind of extension to your “How secure in the Web?”

    Hmmm.. I guess, you’re becoming a Tech-Law person these days 😉

  2. My suggestion ,,

    1. dnt leave ur contact number, postal addresses
    2. dnt trust on every one their
    3. dnt add unknown 1’s.
    Etc Etc…………………….

  3. @Shahil:
    These are good points for protecting one’s privacy, and should be followed religiously. However, an XSS (or CSRF) flaw would defy it all.

    p.s. BTW, shouldn’t your name be Saahil or Sahil (instead of Shahil)? No offences. I am Indian, so just curios about pronunciation.

  4. Bipin,

    Now this is nothing new huh? You know how the Indian Legal System (and broadly, the Indians) function 😛 Why don’t you suggest Six Sigma Quality Improvement program?? 😉

  5. Now this is nothing new huh? You know how the Indian Legal System (and broadly, the Indians) function…

    Actually, I’d like to differ on generalising the Indian part (although not completely).
    There are an amazing number of beautiful things being done, which go completely unknown. There a good number of highly educated people who left every luxury and started off with social work. I have been fortunate enough to be associated with a few of them. Will also be posting one of such achievements on my other blog.
    By the way, did you know that my college body has a tribal school? These kids went to SA and won the under 14 (I think) Rugby World Championship. Rugby! Can you imagine that?
    I can now boast that I’d taken a few classes at the school (although I taught Permutation & Combination, not Rugby 😛 )
    Unfortunately, these are never highlighted by the media.

    I always find it very interesting that Indian democracy WORKS… considering the problems we have in all directions: Kashmir militancy, Tamilnadu & LTTE, Naxals etc. in east, Militancy in Punjab… and the Bihar :)…. and even then at the end of the day, the democracy works.
    We always talk about how corrupt the politicians are, but even after all these disasters, we do see some amazing developments.

    Uh! That’s a long comment. 😛
    Summary: Hope survives 🙂

  6. Apparently, Google fixed it but I just got one more message with the same characteristics, and I won’t dare open it again!!
    Any idea if this is still out in open?

  7. How do I do that?
    I mean give my profile id?
    [Orkut Profile Link removed by site admin]
    there is a scrap from one bhumika.

    ok, here’s the thing. I was Gtalk when I got this msg notification and it showed me the code there similar to that of the prior attack. So i am guessing it’s still there. Anyway, please let me know if it’s a false alarm.

  8. Gautham,

    Thanks for providing the link (I’ve removed it considering that it might hinder your privacy).
    I’d a look at it and couldn’t find anything malicious; and definitely not from Bhumika. She is just one lady who believes that “Love can change your life” 😉

    On a side note, I’d suggest you to use noscript extension for firefox. It’ll hinder in a number of ways in your browsing experience, but also provide a guaranteed protection against a number of attacks. You can always turn it of (temporarily or permanently) for a particular domain.

Leave a Reply

Your email address will not be published. Required fields are marked *