New Orkut XSS worm by Brazilian web security group

Written by DP

Saturday, 4 October 2008

Security researchers Octane[F/X], Rodrigo Lacerda and Klay Gomes were able to hack again Orkut with their new XSS worm.

The photo commentary parameter was not properly filtered, thus allowed insertion of this malicious script:


This worm joined victims to some communities, left Orkut scraps to community members, added victims to friends lists, changed their profile picture and infected all of their personal photos. Therefore, anyone who visited an infected photo album, got infected.

Firefox users were vulnerable to attack. Opera and some versions of IE were not affected.

Good news is that it doesn't work anymore, Google once again fixed it in record time.

For educational purposes we uploaded a zip file containing all the worm's associated JavaScript codes.

Related News:
XSS worm hits Orkut - Kevin Fernandez,, 20 Dec 07

Home | News | Articles | Advisories | Submit | Alerts | Links | What is XSS | About | Contact | Some Rights Reserved.