Hide Complete Orkut Profile! [New Orkut Bug] HackZ

Author: nspanspa // Category: , , , ,
Long time back I wrote about hiding your profile name on orkut. Yes it was something to write about as by default you can not left your orkut profiles’ first and last name field empty.
Now comes a simple bug which hides complete orkut profile as shown below…
invisible orkut profile
# Steps To Hide:
  1. Go to Orkuts manage stuff page or click here.

  2. You will see a URL field on that page. Enterhttp://oa.addons.googlepages.com/hideme.xml in that field.

  3. Press Add button. That it!

Here comes screenshot…
Hide Orkut Profile
# Steps To UnHide: (works in firefox 2.x only)
  1. Go to Orkuts manage stuff page or click here.

  2. You will see a My Feeds section at the bottom of that page.

  3. Click the remove button next to feed we have added above!

Here comes screenshot…
UnHide Orkut Profile
# Technical Details
If you look at source of hideme.xml you can see title field have a script tag!
Next all contents are there if you look at source code of hidden profile pages, then…
>> Here is what exactly went wrong:
  • First thing feeds have no restriction on their title length.

  • On profile pages orkut shows feeds added to that account in left sidebar.

  • Now left sidebar is of fixed width so orkut has to truncate long feed titles. So if feed title is longer than 13 character, then only first 13 character is displayed from feed title followed by ellipsis [...]

  • So in hideme.xml case first 13 characters are - tag and thus HTML source rendering stops in left sidebar only. Thus main portion of profile is not parsed at all!

>> Solution:
  • A very simple but highly costly solution is too validate feeds when user adds them! This I guess will not be acceptable by user as well due to delay caused by validations. Also while working at orkutfeeds I see today’s valid feed may become invalid tomorrow and so vice-versa!

  • So next solution is to do HTML entity escape on selected feed title portion as there is nothing wrong is truncating long feed title.

  • In PHP this can be easily achieved using a function htmlspecialchars. I hope there must be an equivalent in ASP also.

>> Implications
  • As you can manage your stuff only this is not serious as of now!

  • But use of script tag in title field suggest somebody discovered this bug while trying to find a XSS hole.

  • Now I guess orkut is lucky this time as truncation saved them. Otherwise this could have been ground for a perfect XSS attack! May be it is… ;-)

Credits: Orkut Addons blog by Bean!

Blog Archive