Log in

No account? Create an account
Orkut worm - awesome timing - Arvind Narayanan's journal [entries|archive|friends|userinfo]

Orkut worm - awesome timing [Dec. 19th, 2007|12:54 am]
Arvind Narayanan
[Tags|, , , , , , ]
[Current Mood |geeky]

Over the last couple of weeks I've been feeling that Firefox resembles an OS more and more. Feels like Windows 98 more than anything else -- after a few hours of heavy use, it leaks so much memory that I have to restart it. I know exactly what the excuse is: "but it's the extensions, not the browser." That only proves my point -- that used to be the excuse for the crashiness of windows: "but it's the drivers, not the OS!" I can't live without the extensions, at least the developer ones.

Tonight, I too was totally pwned by the orkut XSS exploit. For those who haven't heard about it, it's a combination flash/javascript scrapbook virus worm that only requires you to look at the page to spread, not even click on anything. It was just a proof-of-concept, no malice intended, like Samy, but it spread to at least 400,000 users before they fixed it.

I'm running ubuntu on all my computers, of course. Which again reinforces my point -- any environment that's powerful enough to host self-replicating code is an OS as far as I'm concerned. That's right, your browser is already an OS.

Needless to say, orkut sucks giant donkey balls and I haven't used it in a long time. If the email notification for the scrap had said:
J.Random User has sent you a scrap:

[crap in portuguese]
instead of I wouldn't have been infected. Facebook does the right thing here. Seriously, why do people still persist with orkut?

The other reason the timing on this is awesome is because it comes right on the heels of the opensocial launch!

If you were infected:
  • No, you don't need to change your gmail password :)
  • Make sure to remove yourself form the community you were auto-added to once you're unblocked.
  • To prevent this from happening again, you might want to install NoScript and use it to block flash from orkut.
This attack seems to have been well-known for a long, long time: see The Flash Attack from back in 2002.

From: antrix.net
2007-12-19 09:17 am (UTC)
J.Random User has sent you a scrap.

Click here to view the scrap because we want you to view our ads and waste your time!

Except, Orkut doesn't have ads ;-)

But yeah, I don't see the point of sending notifications about messages without the message content. Reminds me of the time I used Airtel back in India. They would send me an SMS alerting me that my bill was ready. Then ask me to sms back to get the actual bill amount! Crazy!
(Reply) (Thread)
[User Picture]From: arvindn
2007-12-19 03:38 pm (UTC)
ah. i was wondering about that. since i never see ads because of adblock plus, i tend to assume that all sites have ads :) if orkut doesn't, it's even more perplexing that they don't put the damn scrap in the email.

(Reply) (Parent) (Thread)