GoogleBig » Archive » New critical XSS bug in Google’s Orkut

New critical XSS bug in Google’s Orkut

Apr 25, 2009 | Category: Google Vulns

Pierre Gardenat has discovered a vulnerability in Google’s service Orkut, which could be exploited by malicious people to conduct XSS attacks.

Security researcher Pierre Gardenat reported a new interesting vulnerability in Google’s service Orkut. Malicious users can spread XSS worms on Orkut or steal authentication credentials from Google users who also use Orkut.

According to Pierre, it is important to note that thanks to the fact that this flaw affects an externally integrated application in Orkut, sensitive cookies cannot be read. An attacker will still have increased possibilities for a successful attack, just because he can force the connected user to go where he wants, using the existing open session(s).

Google also uses HTTPOnly option. Once again, this prevents an attacker from getting sensitive information, but still allows to launch powerful attacks. HTTPOnly – implemented from Firefox 3.0.6 and partially from Internet Explorer 7 : cf. http://www.owasp.org/index.php/HTTPOnly – only helps mitigate session stealing.

Anyway, this particular flaw does not affect Google directly, but a trusted application. Above all, this vulnerability clearly shows how risky it can be for a large social network like Orkut when relying on external applications.

You can see a compromised Orkut profile on:

http://www.orkut.com/Main#Application.aspx?uid=2377494914036893288&appId=675426251494

(you need to be connected to orkut to be able to see this profile).

Screenshot: