tomcataxis writes: Susam Pal and Vipul Agarwal have published a security advisory on full-disclosure about two session management vulnerabilties that affect Orkut. The two issues described in the advisory are:
- A user's session remains alive at the server side even after he has logged out of Orkut. An attacker can take advantage of this to hijack a user's session.
- While performing some important activities, like deleting a community, the application might ask the user to re-authenticate himself with his password before proceeding. If the user enters the wrong password, the user is logged out but the session cookies as well as the session are alive at the client side as well as the server side. This can be exploited by an attacker to hijack a user's session and misuse his account.