Rajesh Sethumadhavan posted another vulnerability in Google’s Orkut. This one is a tad more obscure because it requires user input (clicking a link) to execute the exploit. Here’s the disclosure:

1)Orkut Invite XSS:

The flaws are due to improper sanitization of inputs passed to ’show’ parameter in GET request
——————————————————————-
http://www.orkut.com/Friends.aspx?show=group1);alert(document.cookie
——————————————————————

Demonstration:
Note: Demonstration leads to your personal information disclosure

- Login to your orkut account
- Paste the above URL
- Click on ‘delete group’ & ‘ok’ button
- Orkut Cookies will get displayed

I’ve never been a big fan of social networking sites for the (lack of) security aspect. With the recent rash of XSS worms out there, these sites should probably start considering these issues as serious. Since Google doesn’t appear to have the required resources in-house they should really consider hiring outsourced help to fix them. At least they are getting some input from their users, even if they aren’t able to find their own security flaws. Until then it’s probably still a good idea to steer clear of these websites from a consumer perspective.

This entry was posted on Monday, December 11th, 2006 at 9:09 pm and is filed under XSS, Webappsec. You can leave a response as well.