Continued from the previous post on TypeRacer
Now the question was, is there any possibility of compromising your account using this bug. If yes, has anyone already started exploiting this bug? I posted my thoughts at Hacker’s Library. And Vipul responded back in my scrapbook. (I don’t think I can recreate the conversation here as he keeps his scrap book empty.L.) Anyway let me see.
These are Vipul‘s perspective about how this bug can be exploited.
You can successfully make an XSS attack using the TypeRacer app’s bug.
How about a link to an external script.
Actually name field has limited letters, so you can simply so is we can connect it via external scripts. But still, it’s not good to have such a flaw!The basic of XSS is if you’re able to execute scripts on a remote machine using a bug from a live site.
We can just publish that malicious scripts can be executed in orkut can cause a “Man in Middle” attack.How are we able to execute script?
In what ways, one way is by typing in the First Name – Last name fields.It’s just working with profile name, nothing else.
Actually the profile name flashes in the TypeRacer app, that’s why!
Then I tried using document.cookie in the script (javascript:alert(‘document.cookie’) when executed in your address bar displays the cookies set.) But the outcome was a blank alert box. This means that document.cookie did not carry any value. It was null, when executed via TypeRacer app.
To this Vipul replied
How about the spammers?
They can make fake accounts and add themselves in typeracer and then they put the redirection script to advertisement sites and can gain profits. A script hosted on a different server which contains the bunch of those click fraud URLs.
Then after some profile surfing, I found that it was irritating at times to have a bunch of alerts, in profile having TypeRacer app. It seems that JavaApplet can be executed via similar scripting. In a community discussion, I found the code which claimed to be “a orkut trojan”
http://f4.filecrunch.com/files/20080512/cd347c7536557e269ff599fb5756fd9a/hi3.js
What this code does shall be discussed later. It basically mails your cookies and transfers your communities. But using latest firefox and ie7 avoids session and cookie hijacks and for transferring communities, the password is now required. So there isn’t any possibility of account and community hijack. Only some irritating scripts might run. Well, use firefox with NoScript addon installed, to avoid all problems.
Best Solution : Remove TypeRacer App at least till the problem is resolved by the brains behind the application. And do use Firefox with NoScript addon
Nice post. The only result I found on google abt typeracer XSS.
Well I liked the idea of promoting noscript. In fact I myself wrote a similar article in my blog about the uses of NoScript when last worm on orkut appeared thru scrapbook flash XSS.
It also gives a technical info about questions like why document.cookie does not carry orkut cookies. By the way, in the case of this XSS, even though there a persistent XSS in typeracer you cannot steal orkut’s cookies because that lies in a different domain.(Cross domain browser protection) By document.cookie you can only access typeracers’ site’s cookies which in this case are NULL. coz typeracer application didnt store any cookies. But yes the effect can still be dangerous if you can redirect the victim to a fake orkut login page and he/she enters his userID and password.
My Blog:
http://rhosted.blogspot.com/
Yes, exactly. There is indeed a possibility of redirection to fake login pages. That could cause potential harm to the victims.
Always check if the URL starts with https:// rather than http:// while entering your user name and password, not just in orkut, but in any login page.
Another problem arising because of this bug, was the execution of Java Applets. I am not sure of how it goes about, but it quite irritates a lot.
[...] Later I got busy with other stuffs, and came back to TypeRacing when the problem of script tag not being filtered came into picture. (Read about this here) [...]
[...] Later I got busy with other stuffs, and came back to TypeRacing when the problem of script tag not being filtered came into picture. (Read about this here) [...]