Blue Screen Of Duds

Where the alter ego of codelust plays

Paging Messers Page and Brin: Please shut down Orkut

with 3 comments

Two of Google’s worst products in its product line up are Orkut and Blogger. There are various reasons why those two deserve that label, but when a company worth billions, with more PhDs than you anyone can count on its rolls puts up a notice that says, “Security tip: Never paste a URL or script into your browser while logged into, no matter what it claims to do,” it really does not get any worse than that. Google, please do yourself and your users a favour and shut the damn thing down till you fix it.


Apparently there has been a spate of recent Google Account hijackings that don’t follow any particular pattern. There is a fairly high probability that the warning on Orkut has something to do with one of the twin curses of Web 2.0: a CSRF or an XSS attack. Orkut handles its authentication and cookies differently from the rest of the Google framework.

You can log into Orkut and also be logged into other Google products like Google Reader and Gmail without being prompted to authenticate yourself again when you browse to those products. Conversely, if you log into the other two and browse over to Orkut, you will be faced with the authentication prompt.

In all probability, Orkut is using another cookie of its own in addition to the Google account cookie and somewhere in between a malicious script is hijacking the Google account cookie, using the cross domain permissions that are granted to Orkut pages to do the initial authentication on the GLogin.aspx page. In any case, Google should have fixed the problems with Orkut than to expect users not to paste a URL or a script into the browser while they are logged into the website.

Google’s greatest strength is its computing framework (one that even Microsoft will take a lot of time to catch up with its ‘cloud’ initiative), where applications basically plug into Big Table and GFS, requiring relatively smaller teams of developers to sustain and develop the lesser-important products; Orkut and Blogger belong to that category. After all, since when does getting an Ajax button to post a comment or having product blog (OMG! We have a blog now, we are so 2005!) or having dynamic pages on a blog network represent significant advances in the history of humanity?

The trouble is that the same strength works as Google’s major weakness too. Since they don’t need massive teams to deploy and sustain these applications, the products don’t get the attention that’s required and function mostly on autopilot. And unlike what most people think, Google does not really care much about being a segment leader as long as they can mine usage data, do behavioral analysis and use that to improve the advertising cash cow. But that does leave holes like these open, which is just not done and I hope Google fixes the holes soon before someone figures out a Orkut-wide attack.

p.s: Get someone to fix the language in the warning. It almost sounds like they are urging users not to use Orkut irrespective of what the site claims to do.

Technorati tags: , , ,

Written by shyam

August 3, 2007 at 10:44 am

Posted in Blogs, Google, security

3 Responses

Subscribe to comments with RSS.

  1. Shyam,

    I don’t agree with your assessment that Google doesn’t provide attention to its products. I can’t think of one single Google product which doesn’t have Google written all over it. (Case in point is Google Reader. When Google Reader was launched first, it was unusable. But, recently, Bloglines kept on messing with feeds which made me switch to Google reader. It simply not the same the one I saw more than a year back.)

    The reason for Orkut is not getting their attention might simply be that they don’t care about it. Have you noticed how ugly Orkut is? Or that there is no Google logo on Orkut pages and just a inconspicuous “in affiliation with Google”? It was started as personal project in the “20% time” culture. It became wildly popular in Latin America and India. Somehow I feel they are not very happy with its success and given a chance they want to shut it down.

    (PS: Sorry if this got submitted multiple times.)


    August 4, 2007 at 5:08 am

  2. Shashikant,

    Never said they don’t pay attention, what I meant was they don’t pay equal attention. Or even enough attention to some of the lesser products. I’ve been a long-time Google Reader devotee and I am pretty much dependent on Google Calendar and Gmail too to run my life and most of those are really good.

    What I feel is that Orkut will eventually get shut down or be siphoned off as local products where they are successful and social networking will be replaced by the new one they are working on.


    August 6, 2007 at 2:47 pm

  3. Scores of orkut users are migrating to facebook en masse, Myspace somehow did not latch on in India. Besides we have our very own homegrown versions of orkut such as ibibo and what not.


    October 9, 2007 at 6:05 am

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )


Connecting to %s

%d bloggers like this: