It looks like another hole inside Orkut has been discovered. Credit goes to Rajesh Sethumadhavan for discovering this.
1)Orkut Invite XSS:
The flaws are due to improper sanitization of inputs passed to
'continue' parameter in GET request
---------------------------------
http://www.orkut.com/Invite.aspx?continue=javascript:alert(document.cookie)
---------------------------------
Demonstration:
Note: Demonstration leads to your personal information disclosure
- Login to your orkut account
- Paste the above URL
- Click on BACK button
- Orkut Cookies will get displayed
I've forwarded the exploit to the Orkut team, as this can be potentially used by phishers and scammers (and may explain why so many forums were being stolen, something Google has corrected).
If anyone else discovers any other potentially harmful exploits, you can alert Google by clicking here.
Content Copyright 2005-2007 of Inside Orkut. All Rights Reserved. Violators (and hosts) can be prosecuted under national and international laws.
No comments:
Post a Comment