| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <85963be10612071407u38051d26u5dbcfd327d0e4f5e@mail.gmail.com> Date: Thu, 7 Dec 2006 22:07:19 +0000 From: "Ronald MacDonald" <ronald@...cd.com> To: "Rajesh Sethumadhavan" <rajesh.sethumadhavan@...oo.com> Cc: full-disclosure@...ts.grok.org.uk Subject: Re: Orkut Email Address Disclosure Vulnerability Hi Rajesh, > Description: > A remote attacker can get the email address of anyone in the orkut as > demonstrated below. The victim interaction is not required at all. > > Demonstration: > Note: Demonstration leads to email address information disclosure > - Login to your orkut account > - Add any user as your friend (Person you want to get email address) > - Click 'friends' tab > - Click 'open friend requests' tab > - Click edit button the email address of the user will be displayed > as in the screenshot > Same way your can find your friends email address also It's not an 'exploit' but a 'feature' of the portal that orkut uses on its website, and is no more serious than posting your email address on a mailing list. Regards, Ronald. -- Ronald MacDonald http://www.rmacd.com/ 0777 235 1655 _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Powered by blists - more mailing lists