As you opened your orkut account , you may have seen many scraps stating the same words Bom Sabado . Actually it was XSS attack. XSS = Cross Site Scripting. It is a type of computer security vulnerability typically found in web applications that enables malicious attackers to inject client-side script into web pages viewed by other users. By using this script , the user bypasses the access controls and limits. One of the common vulnerabilities is non-persistent (or reflected) cross-site scripting. In this, when a user enters the scripts in HTML query parameters or in HTML form submissions and this is immediately processed by the server side scripts to generate the page requested without properly analyzing the request. Thereby the attack starts and keeps on spreading.
But the attack on Orkut falls under the category of Persistent XSS vulnerability and it occurs when the data provided by the attacker is stored in the server of the site, and then permanently displayed on “normal” pages returned to other users. This is can also be quoted as “Client side worm”. It can be for the redirecting the user for any site or any other purpose.
Now when the attacker loads the XSS and when the user reads the message , his cookies will be stolen which leads to the hijacking of the user’s session and impersonate him.It becomes famous through the social media and thereby spreads. Other damages include gaining free access to otherwise paid for content, spying your browsing, defamation of the image of the company or individual etc. With the advent of Web2.0, new loopholes emerged.
In a recent development Youtube got Hacked by Brazilians .
Recently, Twitter was also attacked and orkut was attacked before. Inevitable loopholes of the social networking sites give the oppurtunity for the worm like Bom Sabado. Stay away from orkut and if you have already been on it. Try to erase you cookies and saved passwords because has got the access to your cookies and hence loss of important personal data. XSS attacks has often resulted in a public challenge which hackers are always itching to accept, with the site owner having to later deal with a defaced application and public embarrassment.