Orkut Multiple Cross Site Scripting Vulnerabilities
########################################################
XDisclose Advisory : XD100097, XD100098, XD100092
Vulnerability Discovered : November 30th 2006
Advisory Released : December 8th 2006
Credit : Rajesh Sethumadhavan
Class : Information Disclosure
Cross Site Scripting
Html Injection
Severity : Highly Critical
Solution Status : Patched/Reported to Vendor
Vendor : Google Inc
Vendor Website : http://www.orkut.com
Affected applications : Orkut Services
Affected Platform : All
########################################################
Overview:
Orkut is an Internet social network service run by Google with more
than 37 million total members and nearly 1.3 million daily visitors.
It claims to be designed to help users meet new friends and maintain
existing relationships with pictures and messages, and establish new
ones by reaching out to people you've never met before.
Description:
Orkut service is vulnerable to Cross-Site Scripting and HTML
Injection and email address disclosure vulnerability. Which result
in email address disclosure, stealing of cookie, IP info, refer
info, browser information, clipboard content, operating system info,
hardware Info, modification of page or html injection, url
redirection, port scanning of the network, and even phishing is
possible. This is caused due to improper validation of user-supplied
inputs and improper designing of orkut portal.
1) Orkut Multiple Cross Site Scripting Vulnerabilities
A remote attacker can craft a GET request with the XSS payload as
demonstrated below. When the victim clicks on the GET request the
payload will get executed which result in stealing of cookie.
6/28/2011 05:46:00 PM
K.D
expertise they gained in last X years , some claim to hack it using previously existing loopholes & some say we submit it to hackers & act as brokers. Goes same for Facebook password crackers, Facebook password stealers or Facebook password cracker software ..
.png)
