New critical XSS bug in Google's Orkut

Written by Pierre Gardenat and DP

Thursday, 23 April 2009

Security researcher Pierre Gardenat reported a new interesting vulnerability in Google's service Orkut. Malicious users can spread XSS worms on Orkut or steal authentication credentials from Google users who also use Orkut.

According to Pierre, it is important to note that thanks to the fact that this flaw affects an externally integrated application in Orkut, sensitive cookies cannot be read. An attacker will still have increased possibilities for a successful attack, just because he can force the connected user to go where he wants, using the existing open session(s).

Google also uses HTTPOnly option. Once again, this prevents an attacker from getting sensitive information, but still allows to launch powerful attacks. HTTPOnly - implemented from Firefox 3.0.6 and partially from Internet Explorer 7 : cf. - only helps mitigate session stealing.

Anyway, this particular flaw does not affect Google directly, but a trusted application. Above all, this vulnerability clearly shows how risky it can be for a large social network like Orkut when relying on external applications.

You can see a compromised Orkut profile on:

(you need to be connected to orkut to be able to see this profile).


Thanks Pierre for the report! :-) We hope that Orkut's staff will look into this and fix it quickly...

The issue has been remediated by Google Team as confirmed on Wednesday, April 29, 2009 9:11pm in the following e-mail to Pierre:

> Hi,
> Thanks for your patience as we investigated this issue.
> This was not an issue with Orkut, but an external application. We moved
> swiftly to disable the compromised application, and we reached out to
> the developers who created it. We have since removed the application from
> Orkut. It's worth noting that exposure to this app would have been
> limited. Only whitelisted or sanitized applications are currently visible
> from the Profile page. The application in this case was viewable in canvas
> view but did not appear directly on users' profile pages. We're committed
> to finding new ways to help make applications safer and faster for Orkut
> users. You can read more about actions we took around the appearance of
> OpenSocial applications on Orkut profiles on our Orkut Developer Blog
> here:
> Regards,
> The Google Team

Home | News | Articles | Advisories | Submit | Alerts | Links | What is XSS | About | Contact | Some Rights Reserved.