Google’s social networking site Orkut has been hit by a cross-site scripting worm, infecting users who viewed the emails or Orkut messages carrying its payload.
The wom, says this report, took advantage of an XSS vulnerability in Orkut and used Flash-based JavaScript malware. It added the victims to its rogue Orkut community, called “Infectados pelo Virus do Orkut,”, which roughly means “Infected by the Orkut Virus” in Portuguese.
Victims either got alerts from Orkut that they had a new entry to their scrapbook, or received emails from other Orkut friends who also had been infected. The victims reportedly didn’t even have to click on a link to be infected.
Orkut fixed the XSS bug earlier today, but according to OrkutPlus, a security community within the social network, the vulnerability was still active in Orkut’s so-called sandbox profiles.
