Adding Custom Images to Orkut User Status Updates! [New Bug]

23 Jun, 2008  Orkut, Security | by Rahul Bansal (449)

Update: This bug is fixed now. Details are here. I am closing comments to avoid unnecessary comments.

A bug in orkut let you add custom images to Orkut’s status update feature as shown below…

image

As you can see OrkutFeeds logo in above screenshot is not a standard smiley which orkut users can add as part of their status updates messages.

Here are steps to to use this bug…

1. Go to your orkut profile and find status update field. Click on edit button…

2. Next put code shown below in it and click update.

<img
src="http://img4.orkut.com/img/smiley/../../images/medium/607105044/71300207/pt.jpg">

Above will add OrkutFeeds logo. Now to add image of your choice…

  • It must be on orkut.
  • It must be on orkuts image server ex: img4.orkut.com, img3.orkut.com

Now here is the simplest way to put an image on orkuts image server. Upload any image as your profile display-pic or community pic and it will go on orkuts image server of our interest. (Note: Uploading to community is recommended)

Once you find image you are looking for on say orkut community, get its URL. Firefox users can simply right-click on an image and select Copy Image Location option from context menu. [Note: this will not work on profile pictures.]

image

Now once you have URL where host name is like img4.orkut.com copy entire path from first slash (/) onwards.

Ex.

For URL:

http://img2.orkut.com/images/mittel/1203938171/19587001.jpg

Copy only:

images/mittel/1203938171/19587001.jpg

Now paste copied part between :

<img src=”http://img4.orkut.com/img/smiley/../../   and   ”>

So final code will be:

<img src=”http://img4.orkut.com/img/smiley/../../images/mittel/1203938171/19587001.jpg”>

You can put anything before and after final codes. Those who know HTML can easily recognize this img tag.

Copying profile picture requires opening HTML source code or using Backgroundimage Saver addon (firefox only).

Technical Details…

Some of you have noticed strange /../.. in URL. This is a standard hacking technique known as Directory Traversal attack. The goal of this attack is to order an application to access a computer file that is not intended to be accessible. More details about this technique are here.

Now although directory traversal is not so sever thing, its presence may catch eyes of hacker community. As always in past, this may lead to a new XSS hole on orkut. Strangely in my analysis I have found many HTML tags are allowed in status update filed than desired from security point of view!

(Credit: The bug is discovered by Pranav Pareek)

Share and Enjoy:
  • Digg
  • del.icio.us
  • IndianPad
  • StumbleUpon
  • Technorati
  • YahooMyWeb
  • Furl
  • Reddit
  • Google
  • TwitThis
  • Facebook
  • Slashdot
  • SphereIt
  • blogmarks
  • MisterWong

If you like this post, you may subscribe to my RSS feed or email alerts to receive automatic updates in future! Thanks for reading... :-)

Related Posts

PJN July Promo

Comment RSS · TrackBack URI

12 Comments (including Pingbacks/Trackbacks)

  1.  

    zorro said, on June 23, 2008 @9:33 pm

    man isnt workin wid me
    pweez help man!!

  2.  

    Pavan Kumar said, on June 24, 2008 @6:50 am

    Even I too failed, I used my profile image and failed, and when I used an image from album, the length of url got truncated. I did not try with community image. Let me see when free….

  3.  

    nrj said, on June 24, 2008 @8:39 am

    its working rahul..
    u r cooooool

  4.  

    Aditya said, on June 24, 2008 @4:26 pm

    As far as I tested, it works onl with short image path, like ur community or profile DP. It does not work with album pics..! Correct me if I am wrong..

  5.  

    Gaurav said, on June 24, 2008 @11:17 pm

    I too had noticed the change as one of my friend had his status update shown in green color.

  6.  

    Rahul Bansal said, on June 24, 2008 @11:39 pm

    @zorro & Pavan
    Buddy you cant use any image apart from orkut community & profile display pics.
    By the way if you have problem creating your own code just give us link to image on orkut you want to use and I will send you readymade code. :-)

    @nrj & Aditya
    Orkut images from album are hosted on images.orkut.com server.
    Only images hosted on img1/img2/img3/img4.orkut.com server can be used.
    By the way thumbnails of orkut album are hosted on servers of our interest. :-)

    @Gaurav
    I guess then font tag also working then…
    God save orkut from another XSS attack!

  7.  

    Aditya said, on June 25, 2008 @1:22 pm

    I have tested it for many things, it works for font,href,img tags. And yeah, it will work for any image that is stored on orkut server. In fact, this was being used by Orkut engineers from the time this feature was launched. I just saw it in one of my buddy’s profile, who happens to work with the orkut team. :)

  8.  

    Deepak Jain said, on June 25, 2008 @9:02 pm

    :( I am unable to do this..
    The html tag i’ve made is

    and this image is from this community
    http://www.orkut.co.in/Community.aspx?cmm=4300789

  9.  

    Rahul Bansal said, on June 27, 2008 @1:43 pm

    @Aditya
    Nice findings buddy… :-)

    @Deepak
    Can we try with any other image??

  10.  

    nrj said, on June 27, 2008 @10:49 pm

    thanks a lot aditya for the useful info…

    i m gonna try it out,..
    thanx dude.

  11.  

    Akshay Jain said, on July 1, 2008 @4:23 pm

    plz help me
    http://www.orkut.co.in/Community.aspx?cmm=47457297&refresh=1
    i m dont able to this plz help me

  12.  

    Rahul Bansal said, on July 1, 2008 @4:33 pm

    @Akshay
    Sent you code. Just check ur gmail account.. :-)