Today evening while sigining into orkut to thank the bday wishers, I noticed that somehow the correct username / password combination was failing and noticed the URL as
http://okrutt-co-in.110mb.com/orkutt.htm
instead of something like orkut.com / co.in or google account login URL
on checking the pages via firebug the baseURI is different
ie:
original its something like:
https://www.google.com/accounts/ServiceLogin?service=orkut&hl=en-US&rm=false&
cd=IN&passive=true&skipvpage=true&sendvemail=false&continue=http%3A%2F%2F
www.orkut.com%2FRedirLogin.aspx%3Fmsg%3D0%26page%3D%252FMain%2523Home.aspx”
and the cracker has :
http://okrutt-co-in.110mb.com/orkutt.htm
its found that the above URL is POSTing the user name password combination to: a PHP file
orkut.php
which is posting the user name password after saving to db of the cracker / sending out to email address to google auth mechanism.
The most important change is in the form gaia_loginform :
|
bgcolor=”#E8EEFA”>
<form id=”gaia_loginform” action=”orkut.php” method=”post”
onsubmit=”return(gaia_onLoginSubmit());”>
In the orginal orkut page, the login information is POSTed to
https://www.google.com/accounts/ServiceLoginAuth?service=orkut”
I am about to mail google securiy / abuse etc and 110mb.com support. If possible I will update here.
————————————————————————————————————————–
even if you understand any of the above, while signing to orkut.com / google account make sure that the URL appearing in the browsers page is is something like
https://www.google.com/accounts/ServiceLogin?service=orkut&hl=en
————————————————————————————————————————–
PS: I am extremly sleepy and the analysis may be wrong. 
3 comments