| At the age of 19, Sunny found loopholes like "Session Hijacking" & "Cross Site Scripting" in popular Social Networking Website www.orkut.com. He also proved live on the HEADLINES TODAY & Other News channels of India Today group that anyone's orkut account can be hijacked using orkut's cookie exploit.
Orkut Hacking
Orkut fails to expire the orkut_state session cookie from the server side even when the
user logs off from Orkut upon clicking "Sign-Out" from the application. The cookie is
cleared from the client side (browser), but is not cleared from the server side. If reused,
it provides access to the user's Orkut account.
Upon logging in again, a new orkut_state session cookie is created, but the old session
cookies still stay active on the server side. Therefore, any session cookie can be reused
to gain access to the user's Orkut account. |
