Adding Custom Images to Orkut User Status Updates! [New Bug]

Update: This bug is fixed now. Details are here. I am closing comments to avoid unnecessary comments.

A bug in orkut let you add custom images to Orkut’s status update feature as shown below…


As you can see OrkutFeeds logo in above screenshot is not a standard smiley which orkut users can add as part of their status updates messages.

Here are steps to to use this bug…

  1. Go to your orkut profile and find status update field. Click on edit button…

  2. Next put code shown below in it and click update.


Above will add OrkutFeeds logo. Now to add image of your choice…

  • It must be on orkut.
  • It must be on orkuts image server ex:,

Now here is the simplest way to put an image on orkuts image server. Upload any image as your profile display-pic or community pic and it will go on orkuts image server of our interest. (Note: Uploading to community is recommended)

Once you find image you are looking for on say orkut community, get its URL. Firefox users can simply right-click on an image and select Copy Image Location option from context menu. [Note: this will not work on profile pictures.]


Now once you have URL where host name is like copy entire path from first slash (/) onwards.


For URL:

Copy only:


Now paste copied part between :

<img src=”   and   ”>

So final code will be:

<img src=””>

You can put anything before and after final codes. Those who know HTML can easily recognize this img tag.

Copying profile picture requires opening HTML source code or using Backgroundimage Saver addon (firefox only).

Technical Details…

Some of you have noticed strange /../.. in URL. This is a standard hacking technique known as Directory Traversal attack. The goal of this attack is to order an application to access a computer file that is not intended to be accessible. More details about this technique are here.

Now although directory traversal is not so sever thing, its presence may catch eyes of hacker community. As always in past, this may lead to a new XSS hole on orkut. Strangely in my analysis I have found many HTML tags are allowed in status update filed than desired from security point of view!

(Credit: The bug is discovered by Pranav Pareek)


zorro June 23, 2008

man isnt workin wid me
pweez help man!!

Pavan Kumar June 24, 2008

Even I too failed, I used my profile image and failed, and when I used an image from album, the length of url got truncated. I did not try with community image. Let me see when free….

nrj June 24, 2008

its working rahul..
u r cooooool

Aditya June 24, 2008

As far as I tested, it works onl with short image path, like ur community or profile DP. It does not work with album pics..! Correct me if I am wrong..

Gaurav June 24, 2008

I too had noticed the change as one of my friend had his status update shown in green color.

Rahul Bansal June 24, 2008

@zorro & Pavan
Buddy you cant use any image apart from orkut community & profile display pics.
By the way if you have problem creating your own code just give us link to image on orkut you want to use and I will send you readymade code. 🙂

@nrj & Aditya
Orkut images from album are hosted on server.
Only images hosted on img1/img2/img3/ server can be used.
By the way thumbnails of orkut album are hosted on servers of our interest. 🙂

I guess then font tag also working then…
God save orkut from another XSS attack!

Aditya June 25, 2008

I have tested it for many things, it works for font,href,img tags. And yeah, it will work for any image that is stored on orkut server. In fact, this was being used by Orkut engineers from the time this feature was launched. I just saw it in one of my buddy’s profile, who happens to work with the orkut team. 🙂

Deepak Jain June 25, 2008

🙁 I am unable to do this..
The html tag i’ve made is

and this image is from this community

Rahul Bansal June 27, 2008

Nice findings buddy… 🙂

Can we try with any other image??

nrj June 27, 2008

thanks a lot aditya for the useful info…

i m gonna try it out,..
thanx dude.

Akshay Jain July 1, 2008

plz help me
i m dont able to this plz help me

Rahul Bansal July 1, 2008

Sent you code. Just check ur gmail account.. 🙂