TRAP BOT.COM

Orkut,still in its beta stage is coming up continually with new features based on our feedback.As in facebook ,Orkut has also started applications that will use our current connections to help better communicate with others and also do fun new things in orkut.These apllications could be integrated with scrapbook and testimonials.

Opening up orkut to 3rd party developers will have a high security risk on its users.But these applications are not yet brought to the main Orkut site while they are being tested on another Orkut Sandbox site.Users will be able to select applications they like and add them to their profiles.Also orkut will be the first website to use a new web technology called OpenSocial, which allows developers to use web standards (such as HTML and Javascript) to build new social applications in orkut.

(image from techcruch)

Recent hit of Orkut by a self spreading worm which did not do any major damages except sending out scraps to your friends on behalf of you.See these links for more details.The worm, which used Flash-based JavaScript malware and took advantage of an XSS vulnerability in Orkut, added the victims to its rogue Orkut community, reportedly called “Infectados pelo Virus do Orkut,” which at one point today had captured hundreds of thousands of involuntary members.The attacker wrote a message in Portuguese on the rogue community site — translated, it says: “This just to show how orkut may be dangerous, you came up here without clicking absolutely no link malicious, everything was done reading scraps.” The message also said that no data was stolen in the attack.

http://www.pcworld.com/article/id,140653-c,worms/article.html

http://orkutplus.blogspot.com/2007/12/breaking-xss-in-scrapbook-if-you-open.html

Orkut has suffered from other vulnerabilities in the past, including XSS, script insertion, information disclosure, and a worm which propagated malware.These vulnerabilities occured when an Orkut user fails to authenticate himself during a session (say,while deleting a community), the user is redirected to a login pagewhere the user has to enter his password to login again. At this stage,ideally the session should be disabled and should be enabled only afterthe user re-authenticates himself. However, the session associated with SID and LSID cookies remain alive at the server side. Therefore, it is not safe to abandon the session at this stage. An attacker can set these cookies in his browser and access the compromised account by visiting http://www.gmail.com/, https://www.google.com/accounts/ManageAccount etc..This security bugs has been fixed by the authorities.Most Orkut users use the same gmail account with Orkut, Google should be very careful with Orkut and exploits like these can lead to great damages for the users.

Categories: Security
Tags: Features, Google, Orkut, Security