• Google Security Problems

    by  • February 1, 2009 • Business • 0 Comments

    Mark Ghosh tells a scary story about the security protocols and customer service at global search engine giant Google and how a life-time of work was lost.

    In spite of changing my passwords multiple times, changing login names, changing email addresses and trying all authentication tricks to fix Orkut, the miscreants still regained control of my profile. Instead of falling for the FUD about viruses and worms on my computer (many well wishers who reported the problem to me suggested that I format my computer because i had a key logger that was sending my password to the hackers, completely untrue), I decided to do some research on the problem. The more I learned, the less confidence I had in Orkut and Google’s intention and/or ability to fix the problems.

    The Orkut application stores cookies in such a way that if your cookie is ever recreated by someone else or transmitted to someone else, they can use that cookie to log in to Orkut as you. forever. No matter how you change your credentials, you have no recourse of regaining control. So if you ever get caught in a phishing scam that sends your password to someone else and they recreate your orkut_state cookie, they can login as you forever. I will not go into the technical details but the link above discusses it. If you log into your Orkut account using Firefox, using a cookie editing plugin, look for a cookie called orkut_state and copy the contents. Then log out of Orkut. After logging out, re-add the orkut_state cookie to Firefox with the cookie editing plugin and then visit Orkut, you will find yourself logged back in. Now I have tried changing my password, using a different browser, using a different machine from another location and other tricks with the same cookie and I have been granted access in all cases. From my research, it appears that Orkut expires the state cookie after 1 day (other reports talk about a 14 day expiration) but that problem is easily circumvented.

    I have not tried the process that Mark lays out (because I am not an Orkut user) but for those that use Orkut (or Google Apps), you may want to check this out.

    Leave a Reply

    Your email address will not be published. Required fields are marked *

    Read This Before Leaving a Comment

    We have simple rules:

    • EVERYONE has the right to an opinion and if you would like to express yours, we expect it to be logical and intelligent.
    • Use your real name, not keywords
    • No signature links in your comments
    • No foul language (please)
    • If you can\'t respect someone\'s opinion and decide to take potshots or make derogatory comments; your opinion will be tossed in the trash.

    By submitting a comment here you grant this site a perpetual license to reproduce your words and name/web site in attribution.