Orkut vulnerable to 2 user authentication issues

Written by KF

Friday, 22 June 2007

Update July, 2nd 2007: A few days after the first advisory, Susam Pal published a new one, which is an update for the last one about Orkut. This advisory explains how the holes could also be used to compromise a Google account on, using the SID and LSID cookies.


Susam Pal and Vipul Agarwal published today an interesting advisory about some vulnerabilities affecting Orkut - the famous social networking website, owned by Google.

They state two things:
-First, sometimes the application may lock out the user to the main page when an operation fails, asking the user to login again, but failing to logout the user while doing it. This could confuse the users into thinking that they logged out.
-Second, the "orkut_state" cookie can still be used to login successfully, even if the user logged out. This is probably due to a failure to mark the session as expired on the server side.

These two vulnerabilities are very dangerous in cybercafes, or in case of man-in-the-middle attacks. They have been verified as working on June 23rd 2007.

Orkut has suffered from other vulnerabilities in the past, including XSS, script insertion, information disclosure, and a worm which propagated malware:

Home | News | Articles | Advisories | Submit | Alerts | Links | What is XSS | About | Contact | Some Rights Reserved.