Ok, it's my friend's post, reckord of reckord.info Here's it: [quote]Howdy fellas, glad you come to read my new post. This is about Friendster. Friendster again? Am I not bored? Of course I do, it’s my fun! Hacking is for fun, don’t you think so? Of course you don’t if you have already made hacking as a job. It’s no fun anymore, isn’t it? It’s about work. Or if someone still say it’s fun whether it’s a job or not, glad to hear that! OK to the point. Monday when I have a trip to Tanah Lot in Bali, my friend ymm0t called me and send me his advisory. It’s about Friendster’s log out problem. Well, I found it earlier than him, but never thought of writing this. Have you ever given a link by someone, that is, http://profile.friendster.com/logout.php? Or it’s after you view someone’s profile (profile.friendster.com/r3ck0rd for example). After you click it, you’ll see the logout page. But when you go to the home page of Friendster, you’ll see you haven’t logged out from Friendster. What’s going on? This is my deduction, and ymm0t may not know this. You were logged out. But not from www.friendster.com. Only from profile.friendster.com. It’s a fatal fault for the user if they log out after they view someone’s profile by clicking the link above right. It reset the cookie of profile.friendster.com, but did not reset the cookie of www.friendster.com. So what’s all the babbling about? Haven’t get it? Right here’s a scenario. If you were browsing on Friendster, and viewing someone’s profile, then you were forced by your friend to press the log out link at the top bottom, or you were told by your friend to go to profile.friendster.com/logout.php, because your friend wants to use it. Well after the “You have been logged out” text showed up, then you give your friend turn to use the computer. The fact is, if your friendster… I mean if your friend is naughty, as you haven’t been logged out from www.friendster.com, he can still access your account. And do something bad. Like putting a bad code to your profile maybe to steal your friends’ cookies, and your account may be banned for containing that code. This short? Yeah this short. Short and easy to take over one’s account right? Lucky you if you access Friendster from your own PC or notebook at home. What if, in the internet café? So, here are the problem solver: * After you logout anywhere in Friendster, make sure you check out www.friendster.com too. Recheck always. * It’s recommended to log out from the home page. friendster.com. * If it’s not helping, just install a cookie editor plugin for your browser and just delete all the cookies from Friendster. It’s not reported yet, but I’ll be reporting it to the Friendster Team. By the way, after Th0R read this, he mentioned about CSRF. I don’t know what he meant but I’m thinking about sending my friends this link or just put a CSRF in my FS Profile like this: <img src=”http://profiles.friendster.com/logout.php” alt=”logout” /> It’ll be kinda annoying huh All credits to: ymm0t for reminding me this. And Th0R for the CSRF idea. GreetZ to: - All SATE, HackingForte, and Ha.ckwith.us members. You’re all my support in growing my hacking activity. - IndoForum members. You may dislike me or not because I’m still one of them, but this forum is the place where I grow up too. - BayPas staffs and members, thanks for entrusting me to be the technician. - Most of all, Jesus for keep giving me my breath. Thu.2008.6.19 r3ck0rd © 2008 r3ck0rd and ymm0t. Some rights reserved. Disclaimer: The copyright above is for the text, not the bug. We never claim this as my own bug found. I don’t know if someone has reported this anywhere, because it’s an easy thing to found.[/quote] © Calvin Limuel a.k.a. r3ck0rd Text taken from http://reckord.info/friendster/friendster-bug/81.friendster-logout-problem.html. Licensed under Creative Commons Attribution-Noncommercial-Share Alike 3.0 Unported License.