If you are amongst the few who still give a damn about Orkut, you might have noticed something fishy going on over the past few hours. A large number of users are randomly flooding their friend’s scrapbooks (Orkut’s equivalent of Facebook Wall) with the following message:
It doesn’t take a genius to figure out that the “Bom Sabado!” messages are automatically generated by a script. However, it is not clear if this is simply a script exploiting vulnerability in Orkut, or have the accounts sending the automated scraps been compromised.
If you are amongst those affected, it’s highly recommended that you follow the steps highlighted below:
- Switch to the “older version” of Orkut.
- Log out of Orkut.
- Clean your browser’s cache and cookies.
- Log in and change your password and security question.
If you haven’t been affected yet, it is strongly advised that you avoid Orkut until the issue has been resolved. I managed to trigger the same exploit while researching this article. Recently other high profile websites like Twitter and YouTube also fell victim to XSS attacks.
This is a developing story; we will update this topic as soon as we learn more. In the meanwhile, stay tuned to Techie Buzz and don’t forget to share your experience, if you have also been affected.
Update 1: The worm appears to have originated in Brazil, where Orkut is still exceptionally popular. Many of the affected users are noticing the Brazilian flag on their status messages. Additionally, the word ‘Bom Sabado’ means ‘Good Saturday’ in Portuguese, which is the official language of Brazil. We are still awaiting an official response from Google.
Update 2: ‘Bom Sabado’ is now trending on Google.
Update 3: Google has finally responded. An update posted on the official forum claims that the ‘Bom Sabado’ bug has been contained.
We’ve contained the “Bom Sabado” virus and have identified the bug that allowed this and have fixed it.
We’re currently working on restoring the affected profiles.
However, we are seeing new variants of the worm (such as ORKUT 3XPL0!T5) appear, which suggests that the underlying vulnerability is yet to be plugged.
Update 4: Google has officially confirmed that the attack did not lead to any compromised user account information. For more information check our follow-up post.