Paging Messers Page and Brin: Please shut down Orkut
Two of Google’s worst products in its product line up are Orkut and Blogger. There are various reasons why those two deserve that label, but when a company worth billions, with more PhDs than you anyone can count on its rolls puts up a notice that says, “Security tip: Never paste a URL or script into your browser while logged into orkut.com, no matter what it claims to do,” it really does not get any worse than that. Google, please do yourself and your users a favour and shut the damn thing down till you fix it.
Apparently there has been a spate of recent Google Account hijackings that don’t follow any particular pattern. There is a fairly high probability that the warning on Orkut has something to do with one of the twin curses of Web 2.0: a CSRF or an XSS attack. Orkut handles its authentication and cookies differently from the rest of the Google framework.
You can log into Orkut and also be logged into other Google products like Google Reader and Gmail without being prompted to authenticate yourself again when you browse to those products. Conversely, if you log into the other two and browse over to Orkut, you will be faced with the authentication prompt.
In all probability, Orkut is using another cookie of its own in addition to the Google account cookie and somewhere in between a malicious script is hijacking the Google account cookie, using the cross domain permissions that are granted to Orkut pages to do the initial authentication on the GLogin.aspx page. In any case, Google should have fixed the problems with Orkut than to expect users not to paste a URL or a script into the browser while they are logged into the website.
Google’s greatest strength is its computing framework (one that even Microsoft will take a lot of time to catch up with its ‘cloud’ initiative), where applications basically plug into Big Table and GFS, requiring relatively smaller teams of developers to sustain and develop the lesser-important products; Orkut and Blogger belong to that category. After all, since when does getting an Ajax button to post a comment or having product blog (OMG! We have a blog now, we are so 2005!) or having dynamic pages on a blog network represent significant advances in the history of humanity?
The trouble is that the same strength works as Google’s major weakness too. Since they don’t need massive teams to deploy and sustain these applications, the products don’t get the attention that’s required and function mostly on autopilot. And unlike what most people think, Google does not really care much about being a segment leader as long as they can mine usage data, do behavioral analysis and use that to improve the advertising cash cow. But that does leave holes like these open, which is just not done and I hope Google fixes the holes soon before someone figures out a Orkut-wide attack.
p.s: Get someone to fix the language in the warning. It almost sounds like they are urging users not to use Orkut irrespective of what the site claims to do.