Information Security News mailing list archives
Confirmed Email Privacy Hole at Orkut
From: InfoSec News <isn () c4i org>
Date: Wed, 4 Feb 2004 03:55:56 -0600 (CST)
http://www.lifewithalacrity.com/2004/02/confirmed_email.html Christopher Allen Posted on February 1, 2004 Another Orkut user and I have confirmed a privacy hole in Orkut whenever you send a message to someone via Orkut. For instance, whenever I send a message to anyone in the system that is forwarded by email, in the message headers it will read: From: "Christopher Allen" <member () orkut com> Reply-To: "Christopher Allen" <christophera () alacritymanagement com>; When someone reads the message in their email software, the "From:" line will be my name but the fake email of <member () orkut com> -- however, when you reply to it, it will use my real email address. This appears to happen whether or not I have my privacy settings to reveal my email address. For instance, I can set it so that no one (not friends, not friends of friends, only myself) can see my email address, but the address will still be revealed when I send an email I had reported what I thought was a security flaw when you emailed to "friends of friends" a couple of days ago, but I was mistaken, as I reported in my blog Insecurity at Orkut. However, as I didn't want risk "crying wolf" this time, so my friend and I triple checked this and have confirmed this privacy flaw. [...] - ISN is currently hosted by Attrition.org To unsubscribe email majordomo () attrition org with 'unsubscribe isn' in the BODY of the mail.
Current thread:
- Confirmed Email Privacy Hole at Orkut InfoSec News (Feb 04)