[ISN] Confirmed Email Privacy Hole at Orkut

From: InfoSec News (isn@private)
Date: Wed Feb 04 2004 - 01:55:56 PST

  • Next message: InfoSec News: "[ISN] eBay hacker pleads guilty"

    http://www.lifewithalacrity.com/2004/02/confirmed_email.html
    
    Christopher Allen
    Posted on February 1, 2004 
    
    Another Orkut user and I have confirmed a privacy hole in Orkut 
    whenever you send a message to someone via Orkut.
    
    For instance, whenever I send a message to anyone in the system that 
    is forwarded by email, in the message headers it will read:
    
    From: "Christopher Allen" <member@private>
    Reply-To: "Christopher Allen" 
    <christophera@private>;
    
    When someone reads the message in their email software, the "From:"
    line will be my name but the fake email of <member@private> --
    however, when you reply to it, it will use my real email address. This
    appears to happen whether or not I have my privacy settings to reveal
    my email address. For instance, I can set it so that no one (not
    friends, not friends of friends, only myself) can see my email
    address, but the address will still be revealed when I send an email
    
    I had reported what I thought was a security flaw when you emailed to 
    "friends of friends" a couple of days ago, but I was mistaken, as I 
    reported in my blog Insecurity at Orkut. However, as I didn't want 
    risk "crying wolf" this time, so my friend and I triple checked this 
    and have confirmed this privacy flaw.
    
    [...]
    
    
    
    -
    ISN is currently hosted by Attrition.org
    
    To unsubscribe email majordomo@private with 'unsubscribe isn'
    in the BODY of the mail.
    



    This archive was generated by hypermail 2b30 : Wed Feb 04 2004 - 04:40:02 PST