Orkut Social Application - An Alert Script trouble !

As been described here

" When one of my friends told this, I didn t take it very seriously. Because, what he told was not happening for me. What he told was  Hey G, whenever I come to your profile, a alert box appears with the name askoppal. Do you know who it is

Well, askoppal is my friend and is in my friends list, but nothing of that sort happened, because I was using opera then and scripts were blocked. But the interesting happened today morning when I used firefox, yes a alert box was indeed appearing when I visited my profile.

Primary Investigations showed me that there wasn t anything in the source that could be causing this. Then I went to askoppal s profile page and found that his profile name was
alert( askoppal )

and hence an alert box was appearing even in his profile page. But why in mine?

So what I did was I changed my title to a similar one.
alert( Jithin K.Rajeev )
And then I observed that even my name too was displayed in the alert box, but two times it appeared and then askoppal s name.

Now the question was, is there any possibility of compromising your account using this bug. If yes, has anyone already started exploiting this bug? I posted my thoughts at Hacker s Library. And Vipul responded back in my scrapbook. (I don t think I can recreate the conversation here as he keeps his scrap book empty.L.) Anyway let me see.

These are Vipul s perspective about how this bug can be exploited.

You can successfully make an XSS attack using the TypeRacer app s bug.

How about a link to an external script.
Actually name field has limited letters, so you can simply so is we can connect it via external scripts. But still, it s not good to have such a flaw!

The basic of XSS is if you re able to execute scripts on a remote machine using a bug from a live site.
We can just publish that malicious scripts can be executed in orkut can cause a  Man in Middle attack.

How are we able to execute script?
In what ways, one way is by typing in the First Name - Last name fields.

It s just working with profile name, nothing else.
Actually the profile name flashes in the TypeRacer app, that s why!

Then I tried using document.cookie in the script (javascript:alert( document.cookie ) when executed in your address bar displays the cookies set.) But the outcome was a blank alert box. This means that document.cookie did not carry any value. It was null, when executed via TypeRacer app.

To this Vipul replied

How about the spammers?
They can make fake accounts and add themselves in typeracer and then they put the redirection script to advertisement sites and can gain profits. A script hosted on a different server which contains the bunch of those click fraud URLs.

Then after some profile surfing, I found that it was irritating at times to have a bunch of alerts, in profile having TypeRacer app. It seems that JavaApplet can be executed via similar scripting. In a community discussion, I found the code which claimed to be  a orkut trojan

http://f4.filecrunch.com/files/20080512/cd347c7536557e269ff599fb5756fd9a/hi3.js

What this code does shall be discussed later. It basically mails your cookies and transfers your communities. But using latest firefox and ie7 avoids session and cookie hijacks and for transferring communities, the password is now required. So there isn t any possibility of account and community hijack. Only some irritating scripts might run. Well, use firefox with NoScript addon installed, to avoid all problems.

Best Solution : Remove TypeRacer App at least till the problem is resolved by the brains behind the application. And do use Firefox with NoScript addon."