Orkut Gets Flooded with ‘Bom Sabado’ Scraps
If you are amongst the few who still give a damn about Orkut, you might have noticed something fishy going on over the past few hours. A large number of users are randomly flooding their friend’s scrapbooks (Orkut’s equivalent of Facebook Wall) with the following message:
It doesn’t take a genius to figure out that the “Bom Sabado!” messages are automatically generated by a script. However, it is not clear if this is simply a script exploiting vulnerability in Orkut, or have the accounts sending the automated scraps been compromised.
If you are amongst those affected, it’s highly recommended that you follow the steps highlighted below:
- Switch to the “older version” of Orkut.
- Log out of Orkut.
- Clean your browser’s cache and cookies.
- Log in and change your password and security question.
If you haven’t been affected yet, it is strongly advised that you avoid Orkut until the issue has been resolved. I managed to trigger the same exploit while researching this article. Recently other high profile websites like Twitter and YouTube also fell victim to XSS attacks.
This is a developing story; we will update this topic as soon as we learn more. In the meanwhile, stay tuned to Techie Buzz and don’t forget to share your experience, if you have also been affected.
Update 1: The worm appears to have originated in Brazil, where Orkut is still exceptionally popular. Many of the affected users are noticing the Brazilian flag on their status messages. Additionally, the word ‘Bom Sabado’ means ‘Good Saturday’ in Portuguese, which is the official language of Brazil. We are still awaiting an official response from Google.
Update 2: ‘Bom Sabado’ is now trending on Google.
Update 3: Google has finally responded. An update posted on the official forum claims that the ‘Bom Sabado’ bug has been contained.
We’ve contained the “Bom Sabado” virus and have identified the bug that allowed this and have fixed it.
We’re currently working on restoring the affected profiles.
However, we are seeing new variants of the worm (such as ORKUT 3XPL0!T5) appear, which suggests that the underlying vulnerability is yet to be plugged.
Update 4: Google has officially confirmed that the attack did not lead to any compromised user account information. For more information check our follow-up post.
Related Topics Similar to This Article: »
Recent Activity: »
Author: Pallab De
Pallab De is a blogger from India who has a soft spot for anything techie. He loves trying out new software and spends most of his day breaking and fixing his PC. Pallab loves participating in the social web; he has been active in technology forums since he was a teenager and is an active user of both twitter (@indyan) and facebook .Pallab De has written 913 articles for us.
The author of this post can be contacted at pallab@techie-buzz.comComment Using Facebook
34 Responses to this Article | Share your Opinions/Comments
We moderate comments to prevent spam. Moderation is done within few hours. Please try and stay on topic and refrain from using abusive language. If you think there is a problem with this post, please email the post author or send us an email at tips@techie-buzz.com with the URL and the problem you see and we will rectify it as soon as we can.
For everyone whose orkut account has been affected with the ‘bom sabado’ worm ….
The worm injects a hidden iframe containing a malicious javascript http://tptools.org/worm.js [do not click this], which steals the user cookie which contains the password in an encoded form. So the attacker do not get to know your plaintext password but can login using your credentials by impersonating using the cookie to fool the identification system. So a trivial solution is to diable javascript, another solution is to disable iframes or u can take an advanced measure by blocking the domain http://tptools.org/ by editing your hosts file and redirecting it to a safe address, say 127.0.0.1
go to C:\windows\system32\drivers\etc\
There is a file named ‘hosts’. By default it is read-only. Go to it properties and uncheck the tickmark beside read-only
edit it with you favourite editor.
add this line at the end of it
127.0.0.1 tptools.org
save it. and then restart your network interface. ( in simple words, just reconnect your interner connection ) and bingo!! the worm’ll be useless.
Hope this helps..
Bt in my properties..,there is no tick mark for read-only…Even though i got the scrap ‘bom sabodo’ :(
is there any problem with this..please suggest me… :(
why should we add this line ???
If you add that line, whenever your browser tries to load the js, it will get a loopback address (and thus never succeed in loading the malicious script).
Opera users can simply add it to their content blocker file.
i mean…i couldn’t add that 127.0.0.1 tptools.org at the end..even it is not in read only mode by default.. :(
Open the Notepad in the AS Administrator, then open that HOST File in the Notepad, Edit it…You are Done…
Friends their is nothing to affraid with Bom Sabado!
it was a hacked loop. its over but delete it dont forget…
TC
when i did so, a dialog box popped up saying,”You don’t have the permission to save in this location, contact the administrator to obtain permission.
Would you like to save in the My documents folder instead ?”
Now what?
orkut hacked…getting nude messages
Those who are infected automatically join some brazillian communities, that cannot be unjoined.
I found automatically joined by several Brazilian communities. But i was able to UNJOIN from it. Am i affected?
Yes, probably.
It means “Good Saturday”… please logout Orkut immediately.. and change your password.
SIVA Rajendran.. From Chennai.
After doing the above mentioned steps:
Use m.orkut.com to open the non html version of orkut to check your scraps.
This is the mobile version of Orkut which is working.Check the scraps and sadly though u cant delete them.
use google chrome, u can also delete scraps using m.google.com!
it means good saturday buddy not good friday..
Thanks. Fixed.
Where is Google team …that conquor the web .i tried to delete my communities but failed or not supported. i can’t imagine this from google…….
updated 1000000% solution
to orkut virus ! “bom-sabado”
Find a file named HOST
u’ll find it here
–
Windows 95/98/Me c:\windows\hosts
Windows NT/2000/XP Pro c:\winnt\system32\drivers\etc\hosts
Windows XP Home c:\windows\system32\drivers\etc\hosts
Win 7 – C:\windows\system32\drivers\etc\hosts
Then open it with NOTEPAD
got to the end to that file
Add this code at the end
(remove # symbol while writing in host file !! from . and org/com)
127.0.0.1 tptools.#org
127.0.0.1 http://www.tptools.#org
127.0.0.1 convites.001webs.#com
click save
you are done ! ..clear ur cookies and logout and log in again !! happy orkuting :)
Hello dear. As you mentioend in the path there is no folder or files namely “hosts” in windows XP ‘ETC’ subfolder.
But What for Windows 7?
For those who run some sort of firewall, just block tptools. org site. But be sure that this is no failsafe way, as site from which script is downloaded could be easily changed in a updated scrap.
Bom Sabado ;)
I have recently found about 40 scraps from have been deleted from my scrapbook.
my gender has been changed…one of my friends has also got a nude pic and another found all his scraps deleted……
Follow the steps outlined in the post.
what should we do to avoid this bom sabado virus?????
This attack now seems to be spreading in geometric progression people are customizing the .js file to make their own cookie stealing scripts. So instead of editing ‘hosts’ by hand the better solution is to block the tag.
follow the instructions given in
http://techpaul.wordpress.com/2008/11/07/how-to-block-iframes/
bom sabado killed, yet again … http://bit.ly/adhr0V
hey itz Naveen !!
if u r trouble vit orkut virus ???to solve this problem ?? plz follow the instructions…..
Find a file named HOST
u’ll find it here
–
Windows 95/98/Me c:\windows\hosts
Windows NT/2000/XP Pro c:\winnt\system32\drivers\etc\hosts
Windows XP Home c:\windows\system32\drivers\etc\hosts
Win 7 – C:\windows\system32\drivers\etc\hosts
Then open it with NOTEPAD
got to the end to that file
Add this code at the end
(remove # symbol while writing in host file !! from . and org/com)
127.0.0.1 tptools.#org
127.0.0.1 http://www.tptools.#org
127.0.0.1 convites.001webs.#com
click save
you are done ! ..clear ur cookies and logout and log in again !! happy orkuting :)
Thhhhankkkkk U !!! Ur suggestion was very helpful !!
yesterday at 2pm,i got a scrap bomsabado from both of my friends,but thy aren’t friends,i thought wat’s is this,and said tat i have joined in so many communities tat havent seen it ever
hi thanks for ur post……..i tried all ur countermeasures against bom sabado…..delete cookies,change password ………..but now i dont have any more access to my account…….it shows wrong password,,,,,,,,,,,, i think i lost my account…
can u help me to get back my account????????????
plz help
Hey dudes if ur affected wid bom den jus go to dis link nd fill up d form u ll get back ur acc in 1day
https://www.google.com/support/accounts/bin/request.py?hl=en-US&contact_type=acc_reco&ara=2&ctx=acc_reco&source=no_ts&rd=1