Not so long back bugs in orkuts privacy features made their users scrapbook & album content accessible to everyone no matter what privacy settings they choose. Orkut team fixed those bug but unfortunately they have to cancel their holiday plan if any as a new bug in Orkut discovered which let spammer send any links without filling up captcha (image verification). All this means more sCrap all spam on orkut!
#proof of concept:
Paste following code in any scrapbook…
A link will be send which on clicking will take you to this blogs homepage!
Well you may link looks confusing so end user may not click on it…
Ok.. What about following code…
How many of you looks at browser status bar when clicking link? 😉
#How to (ab)use!
To send links all you need to do is copy following code and append any URL without http:// to it. (Do not remove any slashes…)
#How this bug can be abused?
- Scrap All Script: Spammers most favorite & most powerful tool against orkut is Scrap All script!
- To spread Trojan, viruses, spywares, worms, etc: www.devilsworkshop.org can be replace by link to malicious contents
Old orkut user may remember in past spreading of worm via scrapbook was one of the reason orkut came up with captcha (image verification)while sending third-party links! What the use of captcha, if it can be bypassed!
- Bug is in ClickTracker.aspx (URL: http://www.orkut.com/ClickTracker.aspx ).
#A simple fix Orkut can do..
Put a if-else block at the beginning of ClickTracker.aspx which checks url parameter for third party domains (i.e. anything else than orkut.com or google.com). If third party domain is found, call captcha routine or just abort the execution.