Two Proof-of-Concept cookies have been disclosed to demonstrate that Orkut doesn't remove the Google Authentication cookie to kill the Orkut session. The reporter writes the conclusion: "Hijacked session can be used for 14 days by the hijacker because logging out does not kill the session."
The original mailing list posting posted recently is this: http://lists.grok.org.uk/pipermail/full-disclosure/2007-July/064649.html
The example session was created on 30th June, then logged out and it was working until this Sunday. |
this issue was still in the wild. Google has not taken action to fix this |
Thanks for the additional info. |