Orkut worm demonstrates vulnerability of service

Google's Orkut social networking site appeared to have been hit by a relatively harmless worm, but one that demonstrated the continuing vulnerability of Web applications.

Some Orkut users received an e-mail telling them they had been sent a new scrapbook entry -- a type of Orkut message -- on their profile from another Orkut user.

[ Analysis: Google security under fire ]

They only had to view their profile to become infected by the worm, which added them to an Orkut group, "Infectados pelo Vírus do Orkut," wrote the blogger Kee Hinckley on his site TechnoSocial.

The name of the group, in Portuguese, roughly translates to "infected by the Orkut virus." Orkut is popular in Brazil, as well as India, but has not caught on as well outside those countries compared to MySpace and Facebook.

The description of the group reveals that the worm was designed to show Orkut could be dangerous to users even if they do not click on malicious links, Hinckley wrote. The worm apparently did not try to steal any personal data.

The worm was also noted by Orkut Plus, a site that offers Orkut security tips, and discussed in Google's Orkut help group.

At one time the infected group was adding new members at a rate of 100 per minute, and had reached a few hundred thousand members, according to various postings, but the problem appears now to be fixed, Hinckley wrote.

Orkut's scrapbook feature allows people post messages that contain HTML code, but it may lack a filter to strip out malicious JavaScript, Hinckley wrote.

"It does not appear at first glance that the worm does anything more dangerous than pass itself on to one or more of your friends," he wrote. "I think it unlikely that it would be able to steal your password, although it could potentially access other private information."