Exploiting cross-site scripting flaw on Orkut, “Bom Sabado” worm is spreading like a plague on Orkut. Bom Sabado means ““Good Saturday” in Portuguese. It sends “Bom Sabado ” scraps to your friends and automatically joins your profile on some adult communities. It’s a cookie stealing script in action.
Am I infected?
If you have seen “ Bom Sabado! “ scrap on orkut, on your scrapbook or your friends scrapbook, or seen this scrap on Gmail’s web interface, you are infected.
Don’t panic !
What should you do?
- Clear your cookies and cache.
- Change your Google account password immediately by visiting the following link and don’t login to Orkut till Google engineers fix this issue.
- Change the security question too
- Keep your Mobile phone no. updated for getting password reset code.
- Don’t try to open Orkut or messages from Orkut by e-mail. (SMTP & POP users may view the message in plain text)
- Stop visiting the scrapbooks of others till they fix this issue.
How can you help to avoid its spreading?
- Login to mobile version of Orkut http://m.orkut.com from Opera Mobile and delete all “ Bom Sabado! “ scraps
Pass this information to your friends. Stay tuned for further updates.
UPDATE from Google:
This is to inform you all that we've contained the "Bom Sabado" virus and have identified the bug that allowed this and have fixed it.
We're currently working on restoring the affected profiles.
Thanks a ton to each of you who's made an effort to alert everyone else about this.
This post is about how to Hack Hacked Orkut Account from Fake Page installed by Other People on some server.
Actually the logic behind this is we try to extract the txt file containing all the hacked username and password. But The question is how to do that.
There are several ways of doing this. The simplest of all is guessing te name of te text file and fetching it from browser. most common names are : Id.txt,passwords.txt,loginids.txt etc
But all people are not such idiots, some are smart ones too. Then what to do.
You may use Blackwidow software to scan the target url. It crawls the webpage and gives all the files. But sometimes due to restrictions even this crawler is not allowd to scan the folder where text file is stored.
Next we can take help of the google search engine. How to do that? Simple.. Just use the google dork :
site:[fakepage link].com filetype:txt
and done. The result will be in search results. Visit the text files and get the ids with passwords 🙂
Still if this doesnt works for you then you may try another method [suggested by prateek of OUG] . The method is :
Run Site Grabber
You won’t get the txt file in that but u will find the *.php file
Open it with notepad
Check this line:
$handler = fopen(“*.txt”, “a”);
Open the txt file now!
This is how you can hack the hackers without any problem
If you want to hack orkut account yourself then you may try this method
If you want to defend youself from being hacked on orkut by fake page or any other means the you may check my post
Thanks for reading this post. Please comment if the method works for you or not. And if you like my post then please share it. I Hope you enjoyed your stay here. Bookmark it and check back again
How To Protect Orkut account from being hacked ?
Well most of us have seen cases of hacking accounts on Orkut. Its very common and hacking orkut accounts is not a big deal. Basically Orkut users are hacked not because the orkut server’s security is compromised but because of the foolishness of the user itself. The few things you need to take care always are:
- Never enter your login details anywhere else except than the orkut homepage
- Never execute any file from any user until you are sure that its 100% safe. If you have doubt then upload it to www.virustotal.com and get scanned by various antiviruses for free
- If you are trying to be a hacker and trying to play with a keylogger then NEVER download a keylogegr setup from unreliable sources. Always get it from it’s official homepage. You may later apply the keys from other sites:P
- If someone else post any link then before clicking on the hyperlink make sure the written address and the target address is the same. just hover your mouse pointer over the link and target location will appear on the status bar below. Eg www.google.com [this link may appear to you google link but its not]
- If you visit anyone’s profile on orkut and gets some alert messege and then redirected to some other page become caucious because it happened due to xss present in the added application on that profile.
- Try to keep the login email id and the primary email id different on okut. There have been several cases of account disabling due to bug on one orkut form. once the account is disabled the ownership gets transferred to other people. In that form only login email was required so to be on safe side its not good to share it with others.
- If you own any community then its better to keep the ownership to a seprate profile which you do not use frequently. It will help you to keep the ownership safe.
- If you ever feel that you are being keylogged [or if you are using shared computers like in cafes] then better not to use keyboard for entering details. Use onscreen keyboard. Goto run and type OSK and press enter , it will open the on screen keyboard. Use it for entering your details there.
- If anytime you feel that your COOKIE is stolen and you are using gmail account then just log into your gmail account, SCroll down and click on “DETAILS” links. A popup window will appear showing all the last login details. There you may see the option of “Sign out all the sessions”. click on it and done.
If you keep these things in mind then there are rare chances of getting yourself hacked. This is not only applicable for orkut accounts but if you follow a said above then you may keep your all accounts safe. Hope this post of mine will help you. Thanks for reading this post.
Stay tuned for updates.
Vivek Sinha Anurag
Well.. Most of you have seen people on orkut with profiles having scraps (10000+). and you wish your profile to be same.. so not to worry.. its possible. there are various ways of increasing(flooding) scrapbooks on orkut.
Thanks to the community which released the first ever scrapbook flooder (Vijay Floodmachine) with the help of which many people touched 18crore scraps count.
How Flooding is done.??
its simple.. its like many people scrapping you at almost same time..
For flooding you need multiple fake profiles. It can be created manually also and with the help of Fake profile makers too.. You may search for it in orkut community OUG. Another thing which you need is a flooder software. Thanks to Tree who updated the Tree Fm on request of OUG’s members despite of his busy schedule and keeps on updating. You may download the latest version of TreeFM from the official link [dont download from any other place at it may hack your ids]
Download it from here : http://www.esnips.com/web/Treefm
Updated On : 04:24AM 10/03/2008
PS: It will work on all profiles whether u have #main, weather u have .co.in .com.br .com.pk or any other on your profile or not.
Note: It won’t work on lower version of Java Runtime Environment (JRE).
You need atleast Java Runtime Environment (JRE) 184.108.40.206.
Here is the way to Check your Java Runtime Environment (JRE) version
So, better uninstall your Java Runtime Environment (JRE) and let Treefm install correct Java Runtime Environment (JRE) on its own.
Or download and install on your own from here http://javadl.sun.com/webapps/download/AutoDL?BundleId=23111
How to use this software.. its simple.
here is the video tutorial on youtube.
keep few things in mind:
from one id dont scrap more than 50 scraps else the ids will be banned and will be deleted soon.
also dont flood too much on single day. the target profile may be banned temporarily by orkut. it will be ok in approx 4 hours.
Warning: if orkut want it may delete your profile if you flood.. but who cares.. there are lakhs of profile on orkut with so much of scraps.. me too with 100000+ scraps.. :p
this is a modified version of the script given here
1. fixed background image
2. transparent look
special thanks to prateek for helping me 🙂