Cenzic 232 Patent
Paid Advertising
web application security lab

XSS in Google’s Orkut

Rajesh Sethumadhavan is on a roll. This time he’s found a number of XSS issues in Google’s Orkut. As we’ve seen in over the last year or so on MySpace the potential for malicious worms is extremely high with social networking sites. Given the fact that Orkut isn’t as open a system as MySpace doesn’t actually change the issue. Probably the only saving grace for most of the people reading this is that Orkut isn’t that popular in the United States anymore. However, it is extremely popular in Brazil and other countries around the world. Here is Rajesh’s vulnerability (modified for formatting, downloaded the images, and brevity, etc…):

Overview:
Orkut is an Internet social network service run by Google and named after its creator, Orkut Büyükkökten. It claims to be designed to help users meet new friends and maintain existing relationships with pictures and messages, and establish new ones by reaching out to people you’ve never met before.

Orkut service is vulnerable to Cross-Site Scripting and HTML Injection. This is caused due to improper validation of user-supplied inputs.

Description:
A remote attacker can craft a GET request with the XSS payload as demonstrated below. When the victim clicks on the GET request the payload will get executed which result in stealing of cookie, IP info, refer info, browser information, clipboard content, operating system info, hardware Info, modification of page or html injection, url redirection, port scanning of the network, and even phishing is possible.

1) Orkut Invite XSS:
The flaws are due to improper sanitization of inputs passed to ‘continue’ parameter in GET request
——————————————————————-
http://www.orkut.com/Invite.aspx?continue=javascript:alert(document.cookie)
——————————————————————
Demonstration:
Note: Demonstration leads to your personal information disclosure
- Login to your orkut account
- Paste the above URL
- Click on BACK button
- Orkut Cookies will get displayed
The similar way HTML injection is also possible.
——————————————————————

Solution:
Orkut can improve their filters by disallowing certain characters like " <>/\?&`~!@#$%^*()[]|;:"' " in user input URL.

Screenshot:
http://ha.ckers.org/images/orkut-xss.jpg

Impact:
Successful exploitation allows execution of arbitrary script code in a user’s browser session in context of an affected site which result in stealing of cookie, IP info, refer info, browser information, clipboard content, operating system info, Referer info, hardware Info, modification of page or html injection (temporary webpage defacement), modification of page title, hijacking page flow, url redirection, port scanning of the victim’s network, and even phishing is possible. Impact of the vulnerability is network level.

Rajesh also included another XSS that has since been fixed (I removed it simply for brevity). But you get the point. Orkut is vulnerable, and therefor anyone who uses it is also vulnerable to the impacts that Rajesh outlined above. Nice find, Rajesh.

6 Responses to “XSS in Google’s Orkut”

  1. maluc Says:

    it can’t be automated though, and requires social engineering.. the impact of it is somewhat limited as such. You might be able to create a web page that opens it in an iframe and covers everything up except the back button, and work that into a SE trick.. still won’t get a high infection rate (i’d break the browser’s back button while you’re at it)

    So i don’t think brazilians need to panic just yet.

  2. Mephisto Says:

    It seems they have done a programming “No-No”. Seeing as the application is ASP.NET they appear to have set the “ValidatePageRequest” property to false (a true setting would prevent that attack) either at the page or application level.

    It appears the developers that created it aren’t very security minded, nor does it appear they throughly understand the technology they are working with.

  3. Jungsonn Says:

    It’s runned by Google?? damn.

    Oh heh, think i won’t go into details what: Or “Kut” means in dutch language. Ghehe… yeah it means “cunt”.

  4. devika Says:

    my problem is tht I am not able to open my orkut login page since 6 months and i have to take help from orkut proxies but now they are also not working can you please help me that what is the problem in my pc or orkut. I will be highly thankful to you.

  5. arfa Says:

    orkut login and password page is not open execpt orkut all the site is open but orkut login and password page is not open so please help me what is the problems in my pc or orkut. for that i am always greatfull to you

  6. undone Says:

    easy to implement, stuff all that data as query vars at the end of an image src, add to dom.