Confirmed Email Privacy Hole at Orkut

[InfoSec News <isn () c4i org>]

http://www.lifewithalacrity.com/2004/02/confirmed_email.html

Christopher Allen
Posted on February 1, 2004 

Another Orkut user and I have confirmed a privacy hole in Orkut 
whenever you send a message to someone via Orkut.

For instance, whenever I send a message to anyone in the system that 
is forwarded by email, in the message headers it will read:

From: "Christopher Allen" <member () orkut com>
Reply-To: "Christopher Allen" 
<christophera () alacritymanagement com>;

When someone reads the message in their email software, the "From:"
line will be my name but the fake email of <member () orkut com> --
however, when you reply to it, it will use my real email address. This
appears to happen whether or not I have my privacy settings to reveal
my email address. For instance, I can set it so that no one (not
friends, not friends of friends, only myself) can see my email
address, but the address will still be revealed when I send an email

I had reported what I thought was a security flaw when you emailed to 
"friends of friends" a couple of days ago, but I was mistaken, as I 
reported in my blog Insecurity at Orkut. However, as I didn't want 
risk "crying wolf" this time, so my friend and I triple checked this 
and have confirmed this privacy flaw.

[...]



-
ISN is currently hosted by Attrition.org

To unsubscribe email majordomo () attrition org with 'unsubscribe isn'
in the BODY of the mail.