Stealing accounts and communities with XSS
On January 1, 2005 a Brazilian hacker called Vinícius K-Max attacked Orkut, stealing community ownership rights, using a cross-site scripting (XSS) vulnerability. Eventually, various phishing sites were developed with the intent of stealing other people’s accounts and communities.
MW.Orc worm
On June 19, 2006 FaceTime Security Labs’ security researchers Christopher Boyd and Wayne Porter discovered a worm, dubbed MW.Orc.
The worm steals users’ banking details, usernames and passwords by propagating through Orkut. The attack was triggered as users launched an executable file disguised as a JPEG file. The initial executable file that causes the infection installs two additional files on the user’s computer. These files then e-mail banking details and passwords to the worm’s anonymous creator when infected users click on the “My Computer” icon.
Session Management and Authentication Issues(latest)
On June 22, 2007 Susam Pal and Vipul Agarwal published a security advisory on Orkut vulnerabilities related to authentication issues. [4] The vulnerablities are considered very dangerous in cybercafes, or in the case of man-in-the-middle attack as they can lead to session hijacking and misuse of legitimate accounts. [5] The vulnerabilities are not known to be fixed yet and therefore pose threat to the Orkut users.
A week later, on June 29, 2007 Susam Pal published another security advisory which described how the Orkut authentication issue can be exploited to hijack Google and GMail sessions and misuse the compromised account of a legitimate user under certain conditions.
Impact:-
1. If an attacker manages to steal this cookie from another user, he
can gain access to the compromised account even after the user has
logged out since the session associated with it is still alive at
the server side.
2. In case of unsuccessful authentication during a session, when the
user finds himself logged out, if he leaves the browser unattended,
a trespasser can login to his account simply by entering a valid URL
for his account or clicking the ‘Home’ link.
Solutions:-
1. The session associated with ‘orkut_state’ cookie must expire at the
server side when the user logs out.
2. The session associated with ‘orkut_state’ cookie must be disabled
temporarily when a user fails authentication during a session. The
session should be enabled only after the user successfully
authenticates himself.
Prevention:-
1. A user logged into Orkut should not run any untrusted JavaScript,
program, etc. or click on any suspicious link to prevent the cookie
from being stolen.
2. On a shared system, the user must log out of Orkut by clicking the
“Logout” link. This would delete the session cookies at the browser
and another user can not read the cookie value from the browser.
Alternatively, the cookie can be removed from the browser.