Orkut Album Bug is Fixed. Details are here!

Few hours back, I wrote about latest orkut album bug which enabled any user to delete anyone’s photo. Looked like orkut is reading this blog as a bug open from 4 days is now fixed temporarily.

Anyway I feel its safe to unveil details now. As most of the stuff below is technical in nature, you can skip it if you want…

Where was the bug?

The bug was in EditPhotos.aspx, a program which handles orkut new album feature, editing all photos at once.

Now have a look at following URL structure…

http://www.orkut.com/EditPhotos.aspx?uid=NUM1&aid=NUM2&full=1

It takes three parameters. uid as most already know is a user id which is also in profile, scrapbook and user specific URL’s.

aid is for album id. Its relatively new and identifies each orkut album uniquely. It was introduced with the launch of album feature into orkut. Before that there was a single album only for all photos.

I don’t know more about full=1 but it has to be there in every request I observed.

How it was used?

uid is easy to get but we need aid to target an album. Also all combination of uid and aid are not valid, even if they exist separately.

So best way was to go to album first. A URL to an album is like

http://www.orkut.com/Album.aspx?uid=1545095170420763194&aid=1200558782

Now use values of uid and aid from URL like above and construct a URL for EditPhotos.aspx which is like below, in this case…

http://www.orkut.com/EditPhotos.aspx?uid=1545095170420763194&aid=1200558782&full=1

Now opening link like above just few hours back could give you EDIT access to the Tanmay’s album which we used in this example! ๐Ÿ˜‰

But what about locked or private album?

Yeah, the question is valid as in order to gain EDIT access to album you need to view them first and if album is locked, you can not view them.

Now coming back to the event when orkut launched album feature, if you remember, there was a default album created for you by orkut. All such album have aid=1. And uid is something not secret at all!

So even if a user choose to lock albums, first album could be viewed and edited! And barring one exception in my own test all locked album shown in content of first album. Of course I haven’t edited them! ๐Ÿ˜‰

What the hell is this EDIT access I am talking about?

Put in simple terms, anyone can do to your albums things you think only you could do… ๐Ÿ˜‰

Where things might went wrong?

As I mentioned in earlier post, it looked to me Orkut relayed upon authentication handled by parent program. EditPhotos.aspx have only direct link from Album.aspx. Album.aspx do authenticate a user in order to show/hide uploading option and some other features. But EditPhotos.aspx seemed to count on it, which is wrong thing to do. Every program where thing can be written back must authenticate content owner separately!

Is this bug really fixed?

One word answer is NO. But orkut has taken down EditPhotos.aspx as of now so it will come back with fix hopefully. So as of now neither you, nor anyone else can use edit all photo feature at once!

YES, the bug is fixed and EditPhotos.aspx is back. So there is nothing to worry for a while!

But I repeat, never count on orkut for your safety! ๐Ÿ™‚

27 Comments

rishab April 18, 2008

Hey tell us how to see pics den ?

Rahul Bansal April 24, 2008

@rishab
Not possible as of now!
The bug is fixed! ๐Ÿ™‚

rahul April 23, 2008

please tell me how do i unlock the album in orkut because its a matter of my life as i have a doubt about my fiancee … so for god sake please help

Rahul Bansal April 24, 2008

@rahul
Sorry bro, bug is fixed so no donuts as of now! ๐Ÿ™

One personal suggestion…
If you don’t trust her… better leave her. It never works without trust! ๐Ÿ™‚

Bajal April 26, 2008

Looks like the bug did get fixed after all. This is what you get now :

Bad, bad user! No donut for you.

You are not authorized to do the requested action.

๐Ÿ˜€ ๐Ÿ˜€

Rahul Bansal May 3, 2008

@Bajal
First sorry for late reply as I was offline on a long vacation.

Now the bug got fixed on same day I posted this. I forgot to update this post… ๐Ÿ™
Thanks for reminding… ๐Ÿ™‚

saurabh June 9, 2008

dear find new way to c album or any bug

Rahul Bansal June 12, 2008

@Saurabh
Man its not easy anymore… ๐Ÿ™
Orkut is getting more n more secure everyday…

@blueshift
Your welcome buddy ๐Ÿ™‚

blueshift June 10, 2008

Never knew about this. Thanks.

Prashant October 11, 2008

it will open your album for editing…..!!

Rahul Bansal October 12, 2008

@Prashant
It won’t… ๐Ÿ˜‰
It used to but… for few days.. ๐Ÿ™‚

EXPTORIZ October 24, 2008

i found a new way to explot a album, using a sql injection , to explit the old vunarility crreating a target reponse from the codding, which will enable a temoporary acces ID while the request is been sent that temporary id will be opened untill the session has finalized which can take up to 30 seconds while having that temporary loop hole between you and the unouthorizez request, you will notice in the bar below your internt explore or the firefox page the id that gives the temporary return request, all you have to do is after getting that temporary acces you will be able to gain complete access to the end users album for a very very short time, enableing you to edit or delte pictures comments, specially on accessin the aid=1 which still the smae way with no alteration what so ever..

GOOD Digging guys….

Deepak October 28, 2008

@EXPTORIZ
Buddy can you please be more clear about it??

vijayakumar November 15, 2008

I think all the bugs have been fixed, now nothing is working.

vijay

Deepak Jain November 15, 2008

@vijayakumar
Yes…
That is what Rahul have mentioned on the post.

joyeeta January 29, 2009

my friends are unable to comment on my album pics in my orkut profile…..I have not enabled any privacy settings change….pls suggest what to do??????[:-O]

Deepak Jain January 31, 2009

@ joyeeta
Sounds wired!
How can it be? Will check back settings in my profile.. and ‘ll let you know

Rahul Bansal January 31, 2009

@joyeeta
Is this happening with one friend or all of them?
If it is happening with one or two friends then I can’t say anything but if it is happening with all then u must check ur all settings in Orkut

P February 18, 2009

So ultimately is orkut safe to put up pics?

Ham March 20, 2009

Can i delete any picture from other user?

Gautam March 21, 2009

@Ham
No, you can’t

Sheeba June 6, 2009

When I uploaded one photo,it is shown in friend’s updates but not shown in my Album.The number of photoes also got increased.When i press delete,it shows ‘No donut user….’.Please fix this bug or tell me the way to delete that photo which is showing blank.

Rahul Bansal June 6, 2009

“No donut error” means problem is with Orkut server!

Sheeba June 8, 2009

Thanks for the Reply.So,the error will be rectified soon?

Rahul Bansal June 16, 2009

@Sheeba
Its already fixed.

PrinceGift May 17, 2010

Hi..:-(
Someone hacked my account and uploaded some personal pics of mine and is harrasing me very badly..He even changed the username and password..
i want to delete the album in which he has put the picsโ€ฆplease help meโ€ฆi am depressedโ€ฆ:-(