Orkut Hacking

12 Apr, 2007  Google Services, Learn Hacking, Website Security KarthiKeyan

An Orkut user by the name of Tantek has exposed a flaw in Orkut’s security system.Orkut is the Microsoft ASP.NET and Google-powered Web community. Every user can define a variety of details (like hometown, sexual orientation, activities) and additionally set those details to be viewed by friends only. And you choose who your friends are… well, unless someone is tricking the system.

A simple inline-frame, hidden in the browser by absolute-positioning it with negative values, can trigger the “add as friend” or “join community” command. An anonymous poster in Orkut writes:

“This is a clear example of why it would be very silly to trust Orkut’s permissions system for sharing your information with only your trusted friends.

Web developers who don’t even understand basic cross site scripting precautions shouldn’t be trusted with more than the cookies they give us. Surely most google coders have a little more sense than the ones that wrote this particular app.”

The page in question with the possible Orkut exploit can be found at

[and I suggest to not open this if you logged in to Orkut with this browser] <http://tantek.com/log/2004/02.html>. After I went there to try it out I automatically became part of the “Training Program” (in other words I was joined to a community with no doing of my own other than going to Tantek’s webpage). Tantek writes:

“This community is another training program designed to teach you one thing.

When you remain logged into Orkut and browse the web, any page you access can automatically change your Orkut membership without you knowing it.

This is due to the fact that Orkut uses HTTP GET URLs to alter your state.

The W3C long ago recognized this general vulnerability.

http://www.w3.org/2001/tag/doc/whenToUseGet.html
– Tantek in Orkut

Tantek further urges webmasters to spread the word about this Orkut vulnerability by pasting the following code on their webpages:

<iframe style=”width:1px;height:1px;position:absolute;top:-31337px;
left:-31337px” src=”http://www.orkut.com/Community.aspx?cmm=19657&
cmd=add”></iframe>

Source: blog.outer-court




3 Comments so far »

  1. Anonymous said,

    Wrote on May 26, 2007 @ 10:09 am

    Google

    Google is the best search engine Google

  2. zafar said,

    Wrote on June 5, 2008 @ 3:21 am

    hi how r u ?

  3. KarthiKeyan said,

    Wrote on June 11, 2008 @ 4:11 pm

    yea.. tell me Zafar. I am good. how are you?

Comment RSS · TrackBack URI

Leave a Comment

You must be logged in to post a comment.

Google