Every request has started spoofing

11 views
Skip to first unread message

Nemesh

unread,
Sep 26, 2008, 3:48:27 AM9/26/08
to Orkut Developer Forum
Hello,

We have few applications live on Orkut and suddenly those applications
has started spoofing. Have you changed anything on google's server?
Spoof started for some users yesterday and then it started spoofing
for every users today.

Thank you for your early reply.

Jason

unread,
Sep 26, 2008, 6:02:53 PM9/26/08
to Orkut Developer Forum
As far as I know, there haven't been any changes to the orkut back-end
that would have caused requests to start spoofing, and I have
independently verified that the PHP validation code posted on the wiki
(with orkut's public key inline) works for me for both small GET
requests and large POST requests.

Please reply with your exact request code and the language that your
validation routine is in. (You may have to share it if I'm not able to
reproduce the problem on this end.) Also, can you let me know whether
this is affecting your apps in the sandbox, production orkut, or both?

- Jason

csharpsocial

unread,
Sep 28, 2008, 6:20:45 AM9/28/08
to Orkut Developer Forum
My base url has stopped validating against the oauth_signature, It has
stopped working on both
Orkut and Hi5, and It had been working really well since May.
I am using c# and oauthbase class, plus some code to do the rsa-sha1
verification..
Has something changed recently? could it be related to some windows
updates?
Has anyone experienced the same issue?
> > Thank you for your early reply.- Hide quoted text -
>
> - Show quoted text -

Nemesh

unread,
Sep 29, 2008, 6:05:43 AM9/29/08
to Orkut Developer Forum
Hello Jason,

Thank you for your early reply. We are using C# to validate the
routine. We can share the code if necessary. I think other people
using .NET code are also getting spoofed request.

Thank You.

Nemesh

csharpsocial

unread,
Sep 29, 2008, 7:47:32 PM9/29/08
to Orkut Developer Forum
Hi Jason,
could I send you the code to check why it stopped working?

appreciate your help

Marco

Raman

unread,
Sep 30, 2008, 2:32:28 AM9/30/08
to opensoci...@googlegroups.com
Yes, ditto.
I have a live app running on orkut (or should I say, it was). Coz, my dot net code is not able to authenticate the requests from Orkut anymore. Whats the issue? What have been changed?

Raman

Jason

unread,
Oct 1, 2008, 2:24:29 PM10/1/08
to Orkut Developer Forum
Are all of you using custom (e.g. in-house, self-written) C#
validation code or is there a shared routine for .NET back-ends. It's
somewhat disconcerting that this would break suddenly in such a
limited way (the PHP code provided in the wiki seems to work, so it's
not an issue with the public key), but it's also clear that there is
something going on.

Feel free to send me your source and I'll look into it straightaway,
but you may also want to take a look at this thread in the meantime
which has a complete C# validation routine (towards the bottom of the
post) that the developer indicates is working:

http://groups.google.com/group/opensocial-orkut/browse_thread/thread/6db6dcaa436ca75d#

- Jason

csharpsocial

unread,
Oct 1, 2008, 4:46:02 PM10/1/08
to Orkut Developer Forum
Hi Jason,
I have sent you a test app with the code.

Thanks for your help

Marco


On Oct 1, 7:24 pm, Jason <apija...@google.com> wrote:
> Are all of you using custom (e.g. in-house, self-written) C#
> validation code or is there a shared routine for .NET back-ends. It's
> somewhat disconcerting that this would break suddenly in such a
> limited way (the PHP code provided in the wiki seems to work, so it's
> not an issue with the public key), but it's also clear that there is
> something going on.
>
> Feel free to send me your source and I'll look into it straightaway,
> but you may also want to take a look at this thread in the meantime
> which has a complete C# validation routine (towards the bottom of the
> post) that the developer indicates is working:
>
> http://groups.google.com/group/opensocial-orkut/browse_thread/thread/...
>
> - Jason
>
> On Sep 29, 11:32 pm, Raman <ramandhin...@gmail.com> wrote:
>
>
>
> > Yes, ditto.
> > I have a live app running on orkut (or should I say, it was). Coz, my dot
> > net code is not able to authenticate the requests from Orkut anymore. Whats
> > the issue? What have been changed?
>
> > Raman- Hide quoted text -

Jason

unread,
Oct 1, 2008, 8:40:01 PM10/1/08
to Orkut Developer Forum
Thanks Marco. Can you test the source in the thread I linked to
previously while I work to verify the problem with yours?

- Jason

Nemesh

unread,
Oct 2, 2008, 9:42:11 AM10/2/08
to Orkut Developer Forum
Hello Jason,

Here is the our code:

using System;
using System.Collections;
using System.Configuration;
using System.Data;
using System.Web;
using System.Web.Security;
using System.Web.UI;
using System.Web.UI.HtmlControls;
using System.Web.UI.WebControls;
using System.Web.UI.WebControls.WebParts;
using System.IO;
using System.Runtime.Serialization.Formatters.Binary;
using System.Security.Cryptography;
using System.Security.Cryptography.X509Certificates;
using OAuth;
using System.Text;
using WSESimpleTCPDLL;
using System.Runtime.InteropServices;
using System.Collections.Specialized;


/// <summary>
/// Summary description for oBasePage
/// </summary>
public class oBasePage : System.Web.UI.Page
{
HttpContext htp;
public oBasePage(HttpContext _htp)
{
htp = _htp;

}

public bool isvalidrequest()
{
string AppId =
System.Configuration.ConfigurationManager.AppSettings["oAppId"].ToString();
if (htp.Request.QueryString["opensocial_app_id"].ToString() !=
AppId)
{
//
htp.Response.Write(htp.Request.QueryString["opensocial_app_id"].ToString());
//Response.End()
return false;
}
X509Certificate Cert =
X509Certificate.CreateFromCertFile(htp.Request.PhysicalApplicationPath
+ "/bin/pub.1199819524.-1556113204990931254.cer");

//Getting Post variables
string http_params;
NameValueCollection _p = htp.Request.Form;
Hashtable _hp = new Hashtable();
foreach (string k in _p.Keys)
{
if (k != null)
{
_hp[k] = _p[k];
}
}

SortedList _ps = new SortedList((IDictionary)_hp);

string[] pairs1 = new string[_ps.Keys.Count];
int l = 0;
foreach (string name in _ps.Keys)
{
if (name == "__display_name")
{
pairs1[l++] = name + "=" +
Uri.EscapeDataString(_ps[name].ToString());
//htp.Response.Write("" +
Uri.EscapeDataString(_ps[name].ToString()));
}
else
{
pairs1[l++] = name + "=" +
Uri.EscapeDataString(_ps[name].ToString());
}
}
http_params = (String.Join("&", pairs1));

if (_ps.Keys.Count != 0)
{
http_params = "&" + http_params;
}


RSACryptoServiceProvider Provider =
CertUtil.GetCertPublicKey(Cert);
OAuth.OAuthBase ba = new OAuthBase();
string signature =
(htp.Request.QueryString["oauth_signature"]);
string baseString = ba.GenerateSignatureBase(htp.Request.Url,

htp.Request.QueryString["oauth_consumer_key"], "",
htp.Request.QueryString["oauth_token"], "", htp.Request.HttpMethod,

htp.Request.QueryString["oauth_timestamp"],
htp.Request.QueryString["oauth_nonce"], "RSA-SHA1", http_params);
byte[] sign = Convert.FromBase64String(signature);
byte[] bstring = Encoding.UTF8.GetBytes(baseString);
return (Provider.VerifyData(bstring, "SHA1", sign));

}

}







/// <summary>
/// Summary description for CertUtil.
/// </summary>
public sealed class CertUtil
{
const uint CERT_SYSTEM_STORE_CURRENT_USER = 0x00010000;
const uint CERT_STORE_READONLY_FLAG = 0x00008000;
const uint CERT_STORE_OPEN_EXISTING_FLAG = 0x00004000;
const uint CERT_FIND_SUBJECT_STR = 0x00080007;
const uint X509_ASN_ENCODING = 0x00000001;
const uint PKCS_7_ASN_ENCODING = 0x00010000;
const uint RSA_CSP_PUBLICKEYBLOB = 19;
const int AT_KEYEXCHANGE = 1; //keyspec values
const int AT_SIGNATURE = 2;
static uint ENCODING_TYPE = PKCS_7_ASN_ENCODING |
X509_ASN_ENCODING;


private CertUtil()
{
}


public static RSACryptoServiceProvider
GetCertPublicKey(X509Certificate cert)
{
byte[] publickeyblob;
byte[] encodedpubkey = cert.GetPublicKey(); //asn.1 encoded
public key


uint blobbytes = 0;


if (Win32.CryptDecodeObject(ENCODING_TYPE,
RSA_CSP_PUBLICKEYBLOB,
encodedpubkey, (uint)encodedpubkey.Length, 0, null, ref
blobbytes))
{
publickeyblob = new byte[blobbytes];
Win32.CryptDecodeObject(ENCODING_TYPE,
RSA_CSP_PUBLICKEYBLOB,
encodedpubkey, (uint)encodedpubkey.Length, 0,
publickeyblob, ref blobbytes);
}
else
{
throw new Exception("Could not decode publickeyblob from
certificate publickey");
}


PUBKEYBLOBHEADERS pkheaders = new PUBKEYBLOBHEADERS();
int headerslength = Marshal.SizeOf(pkheaders);
IntPtr buffer = Marshal.AllocHGlobal(headerslength);
Marshal.Copy(publickeyblob, 0, buffer, headerslength);
pkheaders = (PUBKEYBLOBHEADERS)Marshal.PtrToStructure(buffer,
typeof(PUBKEYBLOBHEADERS));
Marshal.FreeHGlobal(buffer);


//----- Get public exponent -------------
byte[] exponent = BitConverter.GetBytes(pkheaders.pubexp);
//little-endian ordered
Array.Reverse(exponent); //convert to big-endian order


//----- Get modulus -------------
int modulusbytes = (int)pkheaders.bitlen / 8;
byte[] modulus = new byte[modulusbytes];
try
{
Array.Copy(publickeyblob, headerslength, modulus, 0,
modulusbytes);
Array.Reverse(modulus); //convert from little to big-
endian ordering.
}
catch (Exception)
{
throw new Exception("Problem getting modulus from
publickeyblob");
}


RSAParameters parms = new RSAParameters();
parms.Modulus = modulus;
parms.Exponent = exponent;
RSACryptoServiceProvider rsa = new RSACryptoServiceProvider();
rsa.ImportParameters(parms);
return rsa;

csharpsocial

unread,
Oct 2, 2008, 4:37:46 PM10/2/08
to Orkut Developer Forum
Ok, I'll give it a go...
it looks like the problem would reside in the ouathbase class that we
all kind of share
considering it is downloadable from the wiki, and considering that my
code differs from
Nemesh code only on the certificate handling.
I'll keep you posted on the progress

Marco
> > > - Show quoted text -- Hide quoted text -

Nemesh

unread,
Oct 3, 2008, 4:59:02 AM10/3/08
to Orkut Developer Forum
Hello Jason,

I saw the variables appended to the URL upon signing request has
changed. I see a new variable "opensocial_app_url". I am not sure if
it existed earlier also. So there might be something which has changed
in opensocial API. Can anyone confirm this?

Nemesh

Raman

unread,
Oct 3, 2008, 6:47:36 AM10/3/08
to opensoci...@googlegroups.com
Oh yes!!! I haven't ever seen this paramter too!
Opensocial_app_url..!???

You r so right!

--
Raman

Nemesh

unread,
Oct 3, 2008, 3:26:03 PM10/3/08
to Orkut Developer Forum
Hello Everyone,

We have fixed the problem. If anyone needs a solution then please let
us know and we would send you new oAuth supporting files.

Thank you.

Nemesh

Jason

unread,
Oct 3, 2008, 8:20:44 PM10/3/08
to Orkut Developer Forum
I'm sorry I couldn't get to this sooner, but I'm happy to hear you
have a solution. We would be happy to add your validation routine to
the opensocial-resources wiki if you're interested in sharing with
other developers. We have PHP and Java code already posted:

http://code.google.com/p/opensocial-resources/wiki/OrkutValidatingSignedRequests

- Jason

Nemesh

unread,
Oct 4, 2008, 7:37:08 AM10/4/08
to Orkut Developer Forum
Hello Jason,

Is okay :). Thank you so much for your efforts.

We would be glad if we could be of help to others in anyway. You can
download the code from here:
http://www.xtremeheights.com/oAuth/oauth-net.zip

This is a Plug & Play kind of code. Just add the 2 cs files and copy
the code provided in txt file to all the pages which requires
authentication.

Please feel free to ask me any questions you may have.

Thank You.

Nemesh Singh

On Oct 4, 5:20 am, Jason <apija...@google.com> wrote:
> I'm sorry I couldn't get to this sooner, but I'm happy to hear you
> have a solution. We would be happy to add your validation routine to
> the opensocial-resources wiki if you're interested in sharing with
> other developers. We have PHP and Java code already posted:
>
> http://code.google.com/p/opensocial-resources/wiki/OrkutValidatingSig...

csharpsocial

unread,
Oct 5, 2008, 12:54:41 PM10/5/08
to Orkut Developer Forum
I have managed to play with my code and I have found that
oauth_token was previously used int the base string as an empty value
whereas now it is complitely omitted. Just making sure that my code
does
not force the oauth_token parameter in the base string gets my code up
and
running again.

Although I think there have been some more changes related to the
normalisation
of parameters as to when they should be urlencoded or not to match the
signature

Opensocial_app_url should not really make any difference as it is just
another
custom parameter, it could have been any parameter needed from your
application.
Opensocial_app_url would have characters like http:// that will need
to be escaped
and this could cause issues in verification code.

Once I solve all the issues with the dilemma of escaping or not I'll
post my code

Marco
Reply all
Reply to author
Forward
0 new messages