Security News > 2004 > February > Confirmed Email Privacy Hole at Orkut
http://www.lifewithalacrity.com/2004/02/confirmed_email.html Christopher Allen Posted on February 1, 2004 Another Orkut user and I have confirmed a privacy hole in Orkut whenever you send a message to someone via Orkut. For instance, whenever I send a message to anyone in the system that is forwarded by email, in the message headers it will read: From: "Christopher Allen" Reply-To: "Christopher Allen" ; When someone reads the message in their email software, the "From:" line will be my name but the fake email of -- however, when you reply to it, it will use my real email address. This appears to happen whether or not I have my privacy settings to reveal my email address. For instance, I can set it so that no one (not friends, not friends of friends, only myself) can see my email address, but the address will still be revealed when I send an email I had reported what I thought was a security flaw when you emailed to "friends of friends" a couple of days ago, but I was mistaken, as I reported in my blog Insecurity at Orkut. However, as I didn't want risk "crying wolf" this time, so my friend and I triple checked this and have confirmed this privacy flaw. [...] - ISN is currently hosted by Attrition.org To unsubscribe email majordomo () attrition org with 'unsubscribe isn' in the BODY of the mail.
News URL
http://www.lifewithalacrity.com/2004/02/confirmed_email.html