New Orkut Bug Let Anyone Edit & Delete Photos of Any Orkut user [ALERT]

Update: This bug is temporarily fixed as of now. Details are here.


New Bug on Okut - Alert Last few days had been really good for orkut with mobile version and lightweight version being launched as well as orkut apps unveiled in India.

But now its time to get back to the bugs in Orkut, what keep it hot and (in)famous among bloggers and hackers.

A new bug found in Orkut album which in my experience most severe bug due to the thing it let you do. Any user can perform following actions on anyone’s album…

  • Delete All photos from album
  • Edit image caption to anything
  • Change album cover

What makes it most severe is, it works with locked album. We had a hack few days back view locked album. But it was not severe like this as user could only view the images and could not change them back!

Considering scrap-all script and communities medium on orkut, it may become available to all anytime although I am disclosing technical details here.

What the worst could happen…

If used in a program, this bug can delete millions of photos and cause complete chaos on orkut!

What to do now…

Back up your orkut album if you don’t have them offline. If you have serious concerns over privacy, please remove all photos from album as soon as possible. Locking your album will not work!

Its really foolish to rely on Orkut to fix this bug, although they will do it ASAP considering the damage it can cause to Orkut.

Where could be problem…

A single program whose name I can not disclose here, is not validating users properly. I guess its relying on its parent page considering, direct link to it not obvious from prominent places like homepage, profile, etc.

This is really bad programming. You should never take things for granted when you are dealing with privacy.

Unfortunately, I can not post vulnerability in orkut help group as it can be misused by other readers there. 🙁

Open request to fellow bloggers…

I saw this first time 4 days back in a orkut community. Gaurav and many other bloggers choose to keep it secret. But I guess that is what delaying a fix. Likewise if you come to know about it, do not unveil the details until the bug gets fixed.

13 Comments

gengis April 18, 2008

shit man…. after working soo much on the cookie structure…
i thought orkut getting better 🙁

so sad this is happening!!

Rahul Bansal April 18, 2008

@gengis
This is the reason I like facebook more!
Its much more secure than orkut.
Between this bug is fixed now temporarily… 🙂

naweed April 21, 2008

no words u man..

ali April 23, 2008

heyy u jus informed dat we can view n delete photos on a locked album…but u dint give the procedure howwe can do it..can i have the procedure??

Rahul Bansal April 24, 2008

@naweed
Didn’t get u???

@Ali
This bug is fixed now…
Details are here.

ginnie June 1, 2008

hey man plz describe the procedure i m in real trouble plz help

Rahul Bansal June 3, 2008

@ginnie
This bug was fixed long time back…
Details are here

ragib June 21, 2008

i could’t unlock others album how can i do it

Rahul Bansal June 24, 2008

@Ragib
This bug is not working as of now…

You may subscribe to my RSS feed or email alert to receive automatic updates in future 🙂

saMRaaTh May 25, 2009

man i searched a lot for viewing orkut locked albums script on grease monkey…….. but none works …but i think cookie steling script should work i fmodified al iittle ….. what do u think?

Rakesh November 18, 2009

dude even facebook got a bug….
press up,up, down, down, left, right, left, right, B, A, Enter key, then right click and magic crcles will appear. the only way to get rid of them are to log off or refresh the page

Lucky April 14, 2010

Du Ya Knw any 1 hw to hide our gender in orkut