in Uncategorized

orkut users beware : fake login script

Today evening while sigining into orkut to thank the bday wishers, I noticed that somehow the correct username / password combination was failing and noticed the URL as

http://okrutt-co-in.110mb.com/orkutt.htm

instead of something like orkut.com / co.in or google account login URL

on checking the pages via firebug the baseURI is different

ie:

original its something like:

https://www.google.com/accounts/ServiceLogin?service=orkut&hl=en-US&rm=false&

cd=IN&passive=true&skipvpage=true&sendvemail=false&continue=http%3A%2F%2F

www.orkut.com%2FRedirLogin.aspx%3Fmsg%3D0%26page%3D%252FMain%2523Home.aspx”

and the cracker has :

http://okrutt-co-in.110mb.com/orkutt.htm

its found that the above URL is POSTing the user name password combination to: a PHP file

orkut.php

which is posting the user name password after saving to db of the cracker / sending out to email address to google auth mechanism.

The most important change is in the form gaia_loginform :

bgcolor=”#E8EEFA”>

<form id=”gaia_loginform” action=”orkut.php” method=”post”

onsubmit=”return(gaia_onLoginSubmit());”>

In the orginal orkut page, the login information is POSTed to

https://www.google.com/accounts/ServiceLoginAuth?service=orkut”

I am about to mail google securiy / abuse etc and 110mb.com support. If possible I will update here.

————————————————————————————————————————–

even if you understand any of the above, while signing to orkut.com / google account make sure that the URL appearing in the browsers page is is something like

https://www.google.com/accounts/ServiceLogin?service=orkut&hl=en

————————————————————————————————————————–

PS: I am extremly sleepy and the analysis may be wrong. 😀

Write a Comment

Comment

  1. Removed.

    If we can assist you further, please let us know.

    110mb.com Support

    upate:

    — REPLIES VIA EMAIL WILL NOT BE RECEIVED. YOU MUST LOGIN & REPLY VIA http://www.110mb.com/support

    Ticket Details
    ===================
    Ticket ID: PYL-752118
    Department: Report TOS/Abuse Violation
    Priority: High
    Status: Closed