New Orkut Bug Let Anyone Edit & Delete Photos of Any Orkut user [ALERT]

18 Apr, 2008 Orkut, Security | by Rahul Bansal (416)

Update: This bug is temporarily fixed as of now. Details are here.

Last few days had been really good for orkut with mobile version and lightweight version being launched as well as orkut apps unveiled in India.

But now its time to get back to the bugs in Orkut, what keep it hot and (in)famous among bloggers and hackers.

A new bug found in Orkut album which in my experience most severe bug due to the thing it let you do. Any user can perform following actions on anyone’s album…

Delete All photos from album
Edit image caption to anything
Change album cover

What makes it most severe is, it works with locked album. We had a hack few days back view locked album. But it was not severe like this as user could only view the images and could not change them back!

Considering scrap-all script and communities medium on orkut, it may become available to all anytime although I am disclosing technical details here.

What the worst could happen…

If used in a program, this bug can delete millions of photos and cause complete chaos on orkut!

What to do now…

Back up your orkut album if you don’t have them offline. If you have serious concerns over privacy, please remove all photos from album as soon as possible. Locking your album will not work!

Its really foolish to rely on Orkut to fix this bug, although they will do it ASAP considering the damage it can cause to Orkut.

Where could be problem…

A single program whose name I can not disclose here, is not validating users properly. I guess its relying on its parent page considering, direct link to it not obvious from prominent places like homepage, profile, etc.

This is really bad programming. You should never take things for granted when you are dealing with privacy.

Unfortunately, I can not post vulnerability in orkut help group as it can be misused by other readers there.

Open request to fellow bloggers…

I saw this first time 4 days back in a orkut community. Jerry and many other bloggers choose to keep it secret. But I guess that is what delaying a fix. Likewise if you come to know about it, do not unveil the details until the bug gets fixed.

Share and Enjoy:

If you like this post, you may subscribe to my RSS feed or email alerts to receive automatic updates in future! Thanks for reading... :-)

9 Comments (including Pingbacks/Trackbacks) so far »

gengis said, on April 18, 2008 @4:26 pm

shit man…. after working soo much on the cookie structure…
i thought orkut getting better

so sad this is happening!!
Rahul Bansal said, on April 18, 2008 @4:31 pm

@gengis
This is the reason I like facebook more!
Its much more secure than orkut.
Between this bug is fixed now temporarily…
naweed said, on April 21, 2008 @11:45 pm

no words u man..
ali said, on April 23, 2008 @7:18 pm

heyy u jus informed dat we can view n delete photos on a locked album…but u dint give the procedure howwe can do it..can i have the procedure??
Rahul Bansal said, on April 24, 2008 @1:07 pm

@naweed
Didn’t get u???

@Ali
This bug is fixed now…
Details are here.
ginnie said, on June 1, 2008 @12:54 pm

hey man plz describe the procedure i m in real trouble plz help
Rahul Bansal said, on June 3, 2008 @12:08 pm

@ginnie
This bug was fixed long time back…
Details are here…
ragib said, on June 21, 2008 @9:04 pm

i could’t unlock others album how can i do it
Rahul Bansal said, on June 24, 2008 @11:11 pm

@Ragib
This bug is not working as of now…

You may subscribe to my RSS feed or email alert to receive automatic updates in future