Google Re-authentication Bypass

During a session, while performing a crucial operation Orkut requires a user to authenticate himself with his password in order to prevent walk-by attacks. If a user fails this authentication, he is redirected to login page, where he needs to re-authenticate himself. However, at this stage the session is not disabled temporarily at the server side. This can be exploited by an attacker to bypass re-authentication.

Read the article HERE.