Orkut hacking: New XSS vuln. revealed

Here is a new XSS vulnerability found for "orkut blogs". With the exploitation of this vulnerability an attacker can steal the login credentials of the victim. I have posted the screenshot of one.

Heres the link of 1 INJECTED XSS BLOG:

IMPORTANT NOTE: If you visit this profile then your login credentials would be stolen. So make sure that u create a new fake profile and then check this out.

Link:- http://www.orkut.com/Main#Application.aspx?uid=2377494914036893288&appId=675426251494

Screen shot is attached

Credits to:- Pierre Gardenat

 

cool find whoeva did

 

Is this original?

 

what do u mean by original?

 

I just meant is this your exploit, or did you find it somewhere?

 

Credits to:- Pierre Gardenat

i have written that in the first post itself

 

Oh. lol sorry, for some reason I thought that was the title of the image or something :p

 

I checked it and it works.

 

can any 1 xplain me hw did this worked?

dnt mind 4 dis question,..
i m new...

 

@ indiansword

Can you please share it ?

 

I agree, how does it work?? whats the idea?

 

Obviously,the whole point of this exploit is to have your victim visiting the exploited page and steale their cookie session.
It will work perfectly if you send them a convincing message with an eleborated and crafted page link.
I won't o it,but there are plenty websites that inspect source codes from websites for you to view. Look at the source code and check it out.

 

what if cookie is disabled?

 

if they're disabled then you're out of luck. However,it all will depend on the site. Make a search about https/http cookies and regular session cookies,big diference between the two of them.

 

I dont think cookies would be disabled for google. Entire google works on cookies. All the google sites work on cookies and they share the same session i.e. google, gmail, orkut etc.