Home page logo

fulldisclosure logo Full Disclosure mailing list archives

Google/Orkut Authentication/Session Management Issue PoC - Interim Results
From: Joseph Hick <leet16y () yahoo com>
Date: Sun, 8 Jul 2007 03:04:29 -0700 (PDT)

This is the interim result of a proof of concept for
Google Authentication issues posted in the threads...

(Orkut Server Side Management Error by Susam Pal &
Vipul Agarwal)

(Google Re-authentication Bypass by Susam Pal)

A session was created in Orkut at about Sat Jun 30
20:30 UTC 2007. Between June 30 and now many have
hijacked this session and logged out many times but
the session is alive today as verified on Sun Jul 8 at
09:43:10 UTC 2007. The cookie for this PoC session is

Name: orkut_state
Domain: .www.orkut.com
Path: /
Send for: Any type of session
Expires: Expire at end of session

This proves that the session remains alive for at
least 7 days after logging out. Steps to verify

1.) Open Firefox, etc. which allows cookie editing.
This extension is required...

2.) Set the given cookie.

3.) Try to visit http://www.orkut.com/Home.aspx

4.) You will be automatically logged in with my
account. It will not ask for any user-name or

5.) Logout

6.) Repeat steps 1. to 4. You can log in again.

I want to see how long this session remains alive
after multiple logout. If you try this POC leave a
message in the scrapbook of the account here ...


Get the free Yahoo! toolbar and rest assured with the added security of spyware protection.

Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]