Users are getting scraps from their friends with the message “2008 vem ai… que ele comece mto bem para vc”. Even if they try to read their scraps They can get hacked. There is an XSS (Cross site scripting) prevailing in the scrapbook, which allows the execution of malicious script, which can perform following actions,
- Stealing their cookies
- Logging them out and redirecting them to a fake page
- Logging them out and redirecting them to a page which automatically installs keylogger, viruses in their computer system
As soon as they read this scrap even in their profile, their cookies are also stolen and so they are also posting scrap automatically to their friend list same scrap as bomb something like the script is running on and also in status of profile their falg is coming. Status is automatically updated in some profile. It’s their flag of Brazil. So Google team is working on it.