Thursday, December 20, 2007

Your 'Private' Videos on Orkut Are NOT Private!

Hmmm.. After a long time I have found something interesting to write about.

Orkut now has a feature that allows you to set your videos and photos as private so that only your friends can see your videos and photos. Well its not implemented that well it seems.

Referer Header is at fault this time. Youtube videos have links section below each video which lists links referring to the current video. It reveals who has added the video to his/her profile even though that person has set videos to private.

E.g. visit this video.
Links section below the video shows following link.

This poor woman wanted to keep her videos private.

Anyway, severity of this issue may not be like > 6 /10. But you never know.

Google advanced search may allow you to target a particular orkut user profile. I have not evaluated this possibility though.

Fix is simple I guess. Google should make sure that no referer should be sent for private videos (There are more than few of ways to do that). GET method could be replaced with POST.

Keep integrating more stuff into your application and have fun.


Note: I have nothing against this orkut user. It was the first example of the issue I came across, that's all.

No comments: