Last few days had been really good for orkut with mobile version and lightweight version being launched as well as orkut apps unveiled in India.
But now its time to get back to the bugs in Orkut, what keep it hot and (in)famous among bloggers and hackers.
A new bug found in Orkut album which in my experience most severe bug due to the thing it let you do. Any user can perform following actions on anyone’s album…
* Delete All photos from album
* Edit image caption to anything
* Change album cover
What makes it most severe is, it works with locked album. We had a hack few days back view locked album. But it was not severe like this as user could only view the images and could not change them back!
Considering scrap-all script and communities medium on orkut, it may become available to all anytime although I am disclosing technical details here.
What the worst could happen…
If used in a program, this bug can delete millions of photos and cause complete chaos on orkut!
What to do now…
Back up your orkut album if you don’t have them offline. If you have serious concerns over privacy, please remove all photos from album as soon as possible. Locking your album will not work!
Its really foolish to rely on Orkut to fix this bug, although they will do it ASAP considering the damage it can cause to Orkut.
Where could be problem…
A single program whose name I can not disclose here, is not validating users properly. I guess its relying on its parent page considering, direct link to it not obvious from prominent places like homepage, profile, etc.
This is really bad programming. You should never take things for granted when you are dealing with privacy.
Unfortunately, I can not post vulnerability in orkut help group as it can be misused by other readers there. :-(
Open request to fellow bloggers…
I saw this first time 4 days back in a orkut community. Jerry and many other bloggers choose to keep it secret. But I guess that is what delaying a fix. Likewise if you come to know about it, do not unveil the details until the bug gets fixed.
