Another live XSS vulnerability

There is a new and live XSS vulnerability being exploited right now in Orkut – Brazil’s favorite social network, which happens to be a Google-owned property. More than 26 millions Brazilians have Orkut profiles. In less than 12 hours after being discovered and being exploited the XSS vulnerability affected more than 180,000 users and more profiles are being compromised as we speak.

No user interaction is required to be compromised – you simply need to log into your profile and go visit a friend’s profile. If you have a small picture of the Brazilian flag in your scraps section and so does your friend:

You will be infected. When infected, this message calls an external javascript file and runs it:

Everyone who is infected with this script is being added silently to a community called “Infected by the Virus of Orkut”, which registers all of the users compromised by this new vulnerability:

In Portuguese the description of the community says: “Voc chegou aqui atravs de uma falha grave no orkut. A falha j foi comunicada ao Google e deve ser corrigida em breve. A comunidade s tem o intuito de forar uma correo mais rpida”.

English translation:
“You arrived here by a serious security vulnerability in Orkut. This vulnerability has already reported to Google and must be fixed soon.This community only has the intention of forcing a quicker fix””.

How did this all start? The author of this community is supposedly using this XSS vulnerability to force Google to fix it quickly. This is not the only such case we have seen – in December 2007 a similar case affected more than 660,000 Orkut users in few hours.

We suggest that you avoid Orkut and/or turn off the JavaScript in your browser until Google patches this vulnerability.

But if you are a Kaspersky customer you are already protected – the javascript file exploiting this XSS and future variations is detected and blocked in all our products as Exploit.JS.Orkut.f. So just make sure your databases are updated before you go to Orkut.

Update 1: 310,000 users affected by the vulnerability and still no fix.

Update 2: after more than 400,000 users affected, Google fixed the XSS in this saturday night.

Another live XSS vulnerability

Your email address will not be published. Required fields are marked *



Lyceum group reborn

According to older public researches, Lyceum conducted operations against organizations in the energy and telecommunications sectors across the Middle East. In 2021, we have been able to identify a new cluster of the group’s activity, focused on two entities in Tunisia.

GhostEmperor: From ProxyLogon to kernel mode

While investigating a recent rise of attacks against Exchange servers, we noticed a recurring cluster of activity that appeared in several distinct compromised networks. With a long-standing operation, high profile victims, advanced toolset and no affinity to a known threat actor, we decided to dub the cluster GhostEmperor.

APT trends report Q2 2021

This is our latest summary of advanced persistent threat (APT) activity, focusing on significant events that we observed during Q2 2021: attacks against Microsoft Exchange servers, APT29 and APT31 activities, targeting campaigns, etc.

Subscribe to our weekly e-mails

The hottest research right in your inbox