... or more precisely a hole in the functionality of Orkut. A frequent #joiito'er (tangra) was able to send email to all of orkut.com's 8000 or so users. No scripting, no SQL injections. Just using the buttons they provided. Of course, I had to hit the History Eraser button. (Reply All)
I have the 121 page screen grab as proof. This just goes to show that if there is a will, there is a way. Security should be an important part of your testing strategies. I guess thats what betas are for.
Thanks Orkut. (And tangra)
PS: Another feature was found later on. All the pictures of people are in a publically accessable directory. I snagged about 5500 before Orkut cut it off, I am thinking a photomosaic is in order. :)
But seriously, if someone had figured out how to mine personal data this would be a bit more serious. As of today (1/25/04) Orkut has quit sending out invites. I guess they are going to let us lucky 8873 play for a while.
Recent Comments