I trust Google. I use GMail as my primary email address and store stuff in my mailbox that is of crucial importance to my existence as a citizen of this modern world. Over the past couple of months, Google’s Orkut has dealt a deadly blow to that trust that is making me rethink my allegiance towards anything Google.
I am the owner of a midly popular community on Orkut with about 25k users. Since I was given the privilege of being a beta tester on Orkut, I had created a community called Calcutta many years ago and that community has since, taken on a life of its own. It is run by moderators who report to me and I log in every so often to perform maintenance and help the moderators out. My existence is not only a mystery to the members of the community, it is also the source of much speculation and conspiracy theories, which was fine and dandy.
The Orkut application itself is full of holes and though Google seems to respond to major public reports of vulnerabilities, they keep coming back. Support for Orkut from Google is almost non-existent with what appears to be zero accountability. If one plows through the Google help sections to try and solicit help, they are either faced with a page not found or convoluted help screens that barely ever actually lead to a form to request support. Pleas for help and more often answered by the “Orkut hackers” than by actual Google employees. The Orkut application is so dangerous that people do not click on any links that are not Orkut generated and even then accounts and communities are compromised all the time. Hacking scripts and techniques are easily found via a simple Google search.
Now I am just as selfish of an individual as everyone else. I barely cared about any of these issues until something bad happened to me that I needed help for. I was the target of a phishing attack on Orkut and I fell for it hook line and sinker. My Google login is associated with my Orkut login. As soon as I realized that I had just sent my username and password to a phisher (within a few seconds of me hitting enter), I changed my Google account password. But alas, the damage had already been done.
This is where things get really weird. Apparently, a group of “hackers” had taken over my Orkut profile and were making drastic changes to the Calcutta community. Emails, IMs and phone calls started to roll in and I was in full panic. I was immediately concerned that my Google account was still compromised and all my personal stuff in my email would be in jeopardy. I went into damage control mode. I changed all my authentication credentials for everything Google.My Gmail account seemed to be untouched but my Orkut account, which uses the same login credentials (I know that was my own fault), seemed to still be under rogue control.
In spite of changing my passwords multiple times, changing login names, changing email addresses and trying all authentication tricks to fix Orkut, the miscreants still regained control of my profile. Instead of falling for the FUD about viruses and worms on my computer (many well wishers who reported the problem to me suggested that I format my computer because i had a key logger that was sending my password to the hackers, completely untrue), I decided to do some research on the problem. The more I learned, the less confidence I had in Orkut and Google’s intention and/or ability to fix the problems.
Now the only reason I disclose this issue is because I have not only reported it to Orkut (and received no answer), it appears to be the same an age old vulerability and one of many similar issues that were purportedly fixed. You can recreate this at home if you please.
The Orkut application stores cookies in such a way that if your cookie is ever recreated by someone else or transmitted to someone else, they can use that cookie to log in to Orkut as you. forever. No matter how you change your credentials, you have no recourse of regaining control. So if you ever get caught in a phishing scam that sends your password to someone else and they recreate your orkut_state cookie, they can login as you forever. I will not go into the technical details but the link above discusses it. If you log into your Orkut account using Firefox, using a cookie editing plugin, look for a cookie called orkut_state and copy the contents. Then log out of Orkut. After logging out, re-add the orkut_state cookie to Firefox with the cookie editing plugin and then visit www.orkut.com You will find yourself logged back in. Now I have tried changing my password, using a different browser, using a different machine from another location and other tricks with the same cookie and I have been granted access in all cases. From my research, it appears that Orkut expires the state cookie after 1 day (other reports talk about a 14 day expiration) but that problem is easily circumvented.
So essentially, I am completely at the mercy of the people that have re-created my orkut_state cookie using my old password that I disclosed on the phishing site. I have tried to contact Orkut help, posted messages in the help groups, emailed and complained to Google, emailed and complained via the Orkut complaint forms and even tried sending messages to places that are not meant to be Orkut related. It has been over two weeks and I have yet to receive a single acknowledgment. Nothing, nada, zip.
I don’t mind telling you that it is despicable for a company like Google to run an extremely popular application with a complete lack of care for its netizens. While I acknowledge that Orkut is not the most important product that Google offers, I think Google should still stand by their product. I also acknowledge that the fact that I am in this mess is my own fault, but shouldn’t there be some recourse? Would Facebook or MySpace do the same thing? Are we all under the false hope that someone in these big companies actually cares about the people that use their products? Is the online world doomed to failure in circumstances or are we willing to make a stand only when it affects us?
Who can I contact at Google that can even pretend to help? I am NOT “negotiating” with the hackers who have control over my profile, which has also been suggested and immidiately turned down by me. Or is my community a complete loss because I made a mistake and fell for a phishing attack?
I am not sure how I feel about trusting my life’s contents to Google if this is how Google treats compromises in security.