(Hat Tip: Ha.ckers)
It looks like another hole inside Orkut has been discovered. Credit goes to Rajesh Sethumadhavan for discovering this.
1)Orkut Invite XSS:
The flaws are due to improper sanitization of inputs passed to
'continue' parameter in GET request
---------------------------------
http://www.orkut.com/Invite.aspx?continue=javascript:alert(document.cookie)
---------------------------------
Demonstration:
Note: Demonstration leads to your personal information disclosure
- Login to your orkut account
- Paste the above URL
- Click on BACK button
- Orkut Cookies will get displayed
I've forwarded the exploit to the Orkut team, as this can be potentially used by phishers and scammers (and may explain why so many forums were being stolen, something Google has corrected).
If anyone else discovers any other potentially harmful exploits, you can alert Google by clicking here.
3 opinions:
after this already appear two other xss bugs in orkut.. and too much dangerously..
in the album legend and where you put the city and province there is another xss vulnerability
All Orkut vulnerabilities are posted in http://www.xdisclose.blogspot.com
Yean the above script is not working now
Post a Comment
Welcome to Inside Orkut, the unofficial blog to Orkut.com, a social network by Google.
Feel free to post your opinions and questions below, or just email me or scrap me if Orkut is your style.
Cheers!