Ok, it's my friend's post, reckord of reckord.info Here's it: [quote]Howdy fellas, glad you come to read my new post. This is about Friendster. Friendster again? Am I not bored? Of course I do, it�s my fun! Hacking is for fun, don�t you think so? Of course you don�t if you have already made hacking as a job. It�s no fun anymore, isn�t it? It�s about work. Or if someone still say it�s fun whether it�s a job or not, glad to hear that! OK to the point. Monday when I have a trip to Tanah Lot in Bali, my friend ymm0t called me and send me his advisory. It�s about Friendster�s log out problem. Well, I found it earlier than him, but never thought of writing this. Have you ever given a link by someone, that is, http://profile.friendster.com/logout.php? Or it�s after you view someone�s profile (profile.friendster.com/r3ck0rd for example). After you click it, you�ll see the logout page. But when you go to the home page of Friendster, you�ll see you haven�t logged out from Friendster. What�s going on? This is my deduction, and ymm0t may not know this. You were logged out. But not from www.friendster.com. Only from profile.friendster.com. It�s a fatal fault for the user if they log out after they view someone�s profile by clicking the link above right. It reset the cookie of profile.friendster.com, but did not reset the cookie of www.friendster.com. So what�s all the babbling about? Haven�t get it? Right here�s a scenario. If you were browsing on Friendster, and viewing someone�s profile, then you were forced by your friend to press the log out link at the top bottom, or you were told by your friend to go to profile.friendster.com/logout.php, because your friend wants to use it. Well after the �You have been logged out� text showed up, then you give your friend turn to use the computer. The fact is, if your friendster� I mean if your friend is naughty, as you haven�t been logged out from www.friendster.com, he can still access your account. And do something bad. Like putting a bad code to your profile maybe to steal your friends� cookies, and your account may be banned for containing that code. This short? Yeah this short. Short and easy to take over one�s account right? Lucky you if you access Friendster from your own PC or notebook at home. What if, in the internet caf�? So, here are the problem solver: * After you logout anywhere in Friendster, make sure you check out www.friendster.com too. Recheck always. * It�s recommended to log out from the home page. friendster.com. * If it�s not helping, just install a cookie editor plugin for your browser and just delete all the cookies from Friendster. It�s not reported yet, but I�ll be reporting it to the Friendster Team. By the way, after Th0R read this, he mentioned about CSRF. I don�t know what he meant but I�m thinking about sending my friends this link or just put a CSRF in my FS Profile like this: <img src=�http://profiles.friendster.com/logout.php� alt=�logout� /> It�ll be kinda annoying huh All credits to: ymm0t for reminding me this. And Th0R for the CSRF idea. GreetZ to: - All SATE, HackingForte, and Ha.ckwith.us members. You�re all my support in growing my hacking activity. - IndoForum members. You may dislike me or not because I�m still one of them, but this forum is the place where I grow up too. - BayPas staffs and members, thanks for entrusting me to be the technician. - Most of all, Jesus for keep giving me my breath. Thu.2008.6.19 r3ck0rd � 2008 r3ck0rd and ymm0t. Some rights reserved. Disclaimer: The copyright above is for the text, not the bug. We never claim this as my own bug found. I don�t know if someone has reported this anywhere, because it�s an easy thing to found.[/quote] � Calvin Limuel a.k.a. r3ck0rd Text taken from http://reckord.info/friendster/friendster-bug/81.friendster-logout-problem.html. Licensed under Creative Commons Attribution-Noncommercial-Share Alike 3.0 Unported License.