New Orkut Bug Let Spammer Send Any Link Without Image Verification! (Orkut Loves SPAM)

Orkut_Loves_Spam

Not so long back bugs in orkuts privacy features made their users scrapbook & album content accessible to everyone no matter what privacy settings they choose. Orkut team fixed those bug but unfortunately they have to cancel their holiday plan if any as a new bug in Orkut discovered which let spammer send any links without filling up captcha (image verification). All this means more sCrap all spam on orkut!

 

#proof of concept:

Paste following code in any scrapbook…

A link will be send which on clicking will take you to this blogs homepage!

Well you may link looks confusing so end user may not click on it…

Ok.. What about following code…

How many of you looks at browser status bar when clicking link? 😉

#How to (ab)use!

To send links all you need to do is copy following code and append any URL without http:// to it. (Do not remove any slashes…)

http://www.orkut.com/ClickTracker.aspx?url=////// 

 

#How this bug can be abused?

  • Scrap All Script: Spammers most favorite & most powerful tool against orkut is Scrap All script!
  • To spread Trojan, viruses, spywares, worms, etc: www.devilsworkshop.org can be replace by link to malicious contents

Old orkut user may remember in past spreading of worm via scrapbook was one of the reason orkut came up with captcha (image verification)while sending third-party links! What the use of captcha, if it can be bypassed!

 

#Bug Details

  • Bug is in ClickTracker.aspx (URL: http://www.orkut.com/ClickTracker.aspx ).

 

#A simple fix Orkut can do..

Put a if-else block at the beginning of ClickTracker.aspx which checks url parameter for third party domains (i.e. anything else than orkut.com or google.com). If third party domain is found, call captcha routine or just abort the execution.

 

That’s it! Thanks Gaurav for the bug and reporting this in orkut google-group! If you are a google-group user please post reply in this thread so that it gets noticed by orkut team earlier!

10 Comments

Lucky February 5, 2008

hi .. very nice work keep it up ! 🙂 lyk it a lot ..

Rahul Bansal February 11, 2008

@Lucky
Thanks for your word of appreciation….

tanmoy talukdar February 13, 2008

it is fixed i think

Rahul Bansal February 15, 2008

@tanmoy
Thats great then! I personally hate spam….

viren November 10, 2009

i realllllly hate spams

Abi November 12, 2009

Yar how to it i dont undrstand if i want to send yahoo.Com whats the link without image verification?

intequab naser April 10, 2010

how to scrap a website ulr in orkut scrapbook
tell me dude …i want to scrap a ulr …….pleaz help me

Nikzzie October 22, 2010

itz really not working in orkut. Its not allowing to post any urls not even http://www.google.com..