Saturday, December 13, 2008

[Security][TIP]How to prevent and identify XSS hack attacks on Orkut

Visiting other profiles now became dangerous Identification and prevention method discovered by blakut team
After fixing the XSS hack on the "Orkut Album Comments", Users with programming knowledge have came up with Application XSS hacks. In short, When you will visit an unknown person's profile you may get some unexpected JS alerts like the one given in the image below!
There may be a risk that your cookies may get snatched or you may get redirected to another site or even get logged out from Orkut. ALSO YOU MAY GET REDIRECTED TO A FAKE ORKUT LOGIN PAGE WHERE YOUR PASSWORD MAY GET EXPOSED TO PHISHING. Hence before visiting any profile whether he/she be on your friend list carefully remember these points: 1. These tricks are done through a number of applications. The most dangerous applications are called "Dog of the day", "Cat of the day", "Pet of the day" as they have HTML coding enabled under "edit profile" option. 2. While visiting any profile if you find the above mentioned App then immediately close the page or else you may also Hit the "Stop" button on your browser to make Firefox stop loading the page to avoid those hacks. 3. To identify whether an app has been messed with XSS codes take a look at that app and search for the small box type characters shown in the image
4. If by some how you get the JS scripts popping up on your screen then DO NOT HIT OK BUTTON, BUT HIT THE CLOSE BUTTON on the top right. In this cases force closing the browser is recommended. 5. If you get yourself redirected to a page where you see that you have been logged out then DO NOT LOGIN FROM THAT PAGE. Close your browser, clear your cookies and then login from 6. If you get yourself redirected to a page where you see that your profile has been deleted then do not panic. Just switch off your browser and start orkut again. Every thing should be fine. 7. Avoid the remember me option from the Login page for some time. 8. Use FireFox Web Browser install the no script addon prevent most of the Hacks. This seems to be the most effective way to stop the Hacks. Note: Orkut has started fixing this Hack. Many application has been tagged with "Warning - Potential Vulnerability in this app". DO NOT CLICK ON THE APPLICATIONS WITH THIS TAG. _____________________ Update[ 18th Jan, 2009]: Orkut still has not fixed this bug entirely. So it will be better if we install Install the AdBlock Plus addon on Firefox and Block the loading of Orkut G-Module. This can be done as follows: 1. Switch to Firefox 2. Install AdBlock Plus Addon. Click on the Add to firefox button there. 3. Restart Firefox. 4. Click on the dropdown arrow key you see on the red coloured ABP icon at upper right corner of your firefox. 5. Click on preference 6. Click on Add Filter 7. Add this code http://** and hit enter.
8. Click on OK button 9. You are now safe!!!
Just remember these tips and every thing will be just fine
Happy Orkutting
~~The End~~
RATE IT: (1) Sucks (2) Stupid (3) Kewl (4) Rad (5) Wicked