Orkut, Google’s social networking service and also the most popular website of its class in Brazil, decided earlier this month to allow HTML. Even though some elements are not allowed in an attempt to block potentially malicious code — such as scripts –, I predict that it will be certainly a Bad Thing™.
In Orkut’s official blog, they mention the fact that people can now send URLs. However, that was already possible once; the feature was removed because Orkut got bad press due to a data-theft worm1.
The new HTML feature has a “limitation”: you will only receive HTML from people in your friends list. Orkut developers must have thought that receiving HTML from everyone would be annoying and also allow for more intrusive forms of spam. But if they had any security intentions behind this, they’re pretty naive, because Orkut worms use the friend list as a way to get profiles and abuse the bond of trust users have. There are no security gains from this limitation.
Unless orkut also parses image files to make sure they’re valid, attackers will be able to easily create powerful worms using vulnerabilities in image-processing libraries, such as the one that was patched this month by Microsoft and is described in the MS07-046 security bulletin.
The question remains as to when Google will finally begin to add CAPTCHAs of any kind to the forms responsible for sending the messages, since worms and spam tools seem to be able to send messages to anyone with ease.
Notes
- It might be relevant to note that I had e-mailed Google weeks before that article was published, complaining that they needed some control over malicious links. I never got a reply other than a “Thanks” message from their automated system and nothing happened until SpywareGuide’s article was published. [back]