Stealing Passwords had never been easier

I have already written once on how web security has taken a back seat thanks to the ever growing popularity of social networking websites. Recently I saw a trend in Orkut where people are setting their homepage to some http://meu.powerscrap.com/…. I tried one of those links and saw a replica of the person’s orkut profile over there. I even saw my pic in the friends’ list. But if I try to click on any of the links, a pop-up window comes and asks for my Orkut username and password to continue. To my surprise, all the images were directly from orkut.com and the exact ones used in Orkut.

I did a little bit of googling looking for any connection between orkut and powerscrap. But it seemed like people are using the latter as an alternative to Orkut in places where it is blocked and were all praise for powerscrap. I believe this must be a trusted site. But someone can use this technique just to snatch you off your username and password too. The sad part is that people are so desperate to network and don’t think twice when asked for username or password.

I think this now leads to the simplest form of social engineering. If you have a website and some web programming knowledge you can just walk away with thousands (at least hundreds) of usernames and passwords. You dont need content or users or even a database :). You can thrive on a popular website’s user-base and just enjoy the free passwords. As my title goes password hacking had never been easier.

1. Go buy a domain. Even a free sub-domain will do :).
2. Write code to pull data from Orkut or a similar website.
3. Send messages to a few giving your url and telling them the ADVANTAGE of using your website.

You are done. In a few days you might be honored for stealing passwords!!