Few hours back, I wrote about latest orkut album bug which enabled any user to delete anyone’s photo. Looked like orkut is reading this blog as a bug open from 4 days is now fixed temporarily.
Anyway I feel its safe to unveil details now. As most of the stuff below is technical in nature, you can skip it if you want…
Where was the bug?
The bug was in EditPhotos.aspx, a program which handles orkut new album feature, editing all photos at once.
Now have a look at following URL structure…
It takes three parameters. uid as most already know is a user id which is also in profile, scrapbook and user specific URL’s.
aid is for album id. Its relatively new and identifies each orkut album uniquely. It was introduced with the launch of album feature into orkut. Before that there was a single album only for all photos.
I don’t know more about full=1 but it has to be there in every request I observed.
How it was used?
uid is easy to get but we need aid to target an album. Also all combination of uid and aid are not valid, even if they exist separately.
So best way was to go to album first. A URL to an album is like
Now use values of uid and aid from URL like above and construct a URL for EditPhotos.aspx which is like below, in this case…
Now opening link like above just few hours back could give you EDIT access to the Tanmay’s album which we used in this example! 😉
But what about locked or private album?
Yeah, the question is valid as in order to gain EDIT access to album you need to view them first and if album is locked, you can not view them.
Now coming back to the event when orkut launched album feature, if you remember, there was a default album created for you by orkut. All such album have aid=1. And uid is something not secret at all!
So even if a user choose to lock albums, first album could be viewed and edited! And barring one exception in my own test all locked album shown in content of first album. Of course I haven’t edited them! 😉
What the hell is this EDIT access I am talking about?
Put in simple terms, anyone can do to your albums things you think only you could do… 😉
Where things might went wrong?
As I mentioned in earlier post, it looked to me Orkut relayed upon authentication handled by parent program. EditPhotos.aspx have only direct link from Album.aspx. Album.aspx do authenticate a user in order to show/hide uploading option and some other features. But EditPhotos.aspx seemed to count on it, which is wrong thing to do. Every program where thing can be written back must authenticate content owner separately!
Is this bug really fixed?
One word answer is NO. But orkut has taken down EditPhotos.aspx as of now so it will come back with fix hopefully. So as of now neither you, nor anyone else can use edit all photo feature at once!
YES, the bug is fixed and EditPhotos.aspx is back. So there is nothing to worry for a while!
But I repeat, never count on orkut for your safety! 🙂
Hey tell us how to see pics den ?
Not possible as of now!
The bug is fixed! 🙂
please tell me how do i unlock the album in orkut because its a matter of my life as i have a doubt about my fiancee … so for god sake please help
Sorry bro, bug is fixed so no donuts as of now! 🙁
One personal suggestion…
If you don’t trust her… better leave her. It never works without trust! 🙂
Looks like the bug did get fixed after all. This is what you get now :
Bad, bad user! No donut for you.
You are not authorized to do the requested action.
First sorry for late reply as I was offline on a long vacation.
Now the bug got fixed on same day I posted this. I forgot to update this post… 🙁
Thanks for reminding… 🙂
dear find new way to c album or any bug
Man its not easy anymore… 🙁
Orkut is getting more n more secure everyday…
Your welcome buddy 🙂
Never knew about this. Thanks.
it will open your album for editing…..!!
It won’t… 😉
It used to but… for few days.. 🙂
i found a new way to explot a album, using a sql injection , to explit the old vunarility crreating a target reponse from the codding, which will enable a temoporary acces ID while the request is been sent that temporary id will be opened untill the session has finalized which can take up to 30 seconds while having that temporary loop hole between you and the unouthorizez request, you will notice in the bar below your internt explore or the firefox page the id that gives the temporary return request, all you have to do is after getting that temporary acces you will be able to gain complete access to the end users album for a very very short time, enableing you to edit or delte pictures comments, specially on accessin the aid=1 which still the smae way with no alteration what so ever..
GOOD Digging guys….
Buddy can you please be more clear about it??
I think all the bugs have been fixed, now nothing is working.
That is what Rahul have mentioned on the post.
my friends are unable to comment on my album pics in my orkut profile…..I have not enabled any privacy settings change….pls suggest what to do??????[:-O]
How can it be? Will check back settings in my profile.. and ‘ll let you know
Is this happening with one friend or all of them?
If it is happening with one or two friends then I can’t say anything but if it is happening with all then u must check ur all settings in Orkut
So ultimately is orkut safe to put up pics?
Can i delete any picture from other user?
No, you can’t
When I uploaded one photo,it is shown in friend’s updates but not shown in my Album.The number of photoes also got increased.When i press delete,it shows ‘No donut user….’.Please fix this bug or tell me the way to delete that photo which is showing blank.
“No donut error” means problem is with Orkut server!
Thanks for the Reply.So,the error will be rectified soon?
Its already fixed.
Someone hacked my account and uploaded some personal pics of mine and is harrasing me very badly..He even changed the username and password..
i want to delete the album in which he has put the pics…please help me…i am depressed…:-(