Full Disclosure mailing list archives
Re: Orkut Email Address Disclosure Vulnerability
From: "Ronald MacDonald" <ronald () rmacd com>
Date: Thu, 7 Dec 2006 22:07:19 +0000
Hi Rajesh,
Description: A remote attacker can get the email address of anyone in the orkut as demonstrated below. The victim interaction is not required at all. Demonstration: Note: Demonstration leads to email address information disclosure - Login to your orkut account - Add any user as your friend (Person you want to get email address) - Click 'friends' tab - Click 'open friend requests' tab - Click edit button the email address of the user will be displayed as in the screenshot Same way your can find your friends email address also
It's not an 'exploit' but a 'feature' of the portal that orkut uses on its website, and is no more serious than posting your email address on a mailing list. Regards, Ronald. -- Ronald MacDonald http://www.rmacd.com/ 0777 235 1655 _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Current thread:
- Orkut Email Address Disclosure Vulnerability Rajesh Sethumadhavan (Dec 07)
- Re: Orkut Email Address Disclosure Vulnerability Ronald MacDonald (Dec 07)
- Re: Orkut Email Address Disclosure Vulnerability Matthew Flaschen (Dec 07)
- Re: Orkut Email Address Disclosure Vulnerability Ronald MacDonald (Dec 07)