Re: [Full-disclosure] Orkut Email Address Disclosure Vulnerability
- From: "Ronald MacDonald" <ronald@xxxxxxxxx>
- Date: Thu, 7 Dec 2006 22:07:19 +0000
Hi Rajesh,
Description:
A remote attacker can get the email address of anyone in the orkut as
demonstrated below. The victim interaction is not required at all.
Demonstration:
Note: Demonstration leads to email address information disclosure
- Login to your orkut account
- Add any user as your friend (Person you want to get email address)
- Click 'friends' tab
- Click 'open friend requests' tab
- Click edit button the email address of the user will be displayed
as in the screenshot
Same way your can find your friends email address also
It's not an 'exploit' but a 'feature' of the portal that orkut uses on
its website, and is no more serious than posting your email address on
a mailing list.
Regards,
Ronald.
--
Ronald MacDonald
http://www.rmacd.com/
0777 235 1655
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
- Follow-Ups:
- Re: [Full-disclosure] Orkut Email Address Disclosure Vulnerability
- From: Matthew Flaschen
- Re: [Full-disclosure] Orkut Email Address Disclosure Vulnerability
- References:
- [Full-disclosure] Orkut Email Address Disclosure Vulnerability
- From: Rajesh Sethumadhavan
- [Full-disclosure] Orkut Email Address Disclosure Vulnerability
- Prev by Date: [Full-disclosure] EEYE: Intel Network Adapter Driver Local Privilege Escalation
- Next by Date: [Full-disclosure] Microsoft Word 0-day Vulnerability FAQ (CVE-2006-5994) written
- Previous by thread: [Full-disclosure] Orkut Email Address Disclosure Vulnerability
- Next by thread: Re: [Full-disclosure] Orkut Email Address Disclosure Vulnerability
- Index(es):
