Another Orkut user and I have confirmed a privacy hole in Orkut whenever you send a message to someone via Orkut.
For instance, whenever I send a message to anyone in the system that is forwarded by email, in the message headers it will read:
From: "Christopher Allen" <email@example.com> Reply-To: "Christopher Allen" <firstname.lastname@example.org>;
When someone reads the message in their email software, the "From:" line will be my name but the fake email of <email@example.com> -- however, when you reply to it, it will use my real email address. This appears to happen whether or not I have my privacy settings to reveal my email address. For instance, I can set it so that no one (not friends, not friends of friends, only myself) can see my email address, but the address will still be revealed when I send an email
I had reported what I thought was a security flaw when you emailed to "friends of friends" a couple of days ago, but I was mistaken, as I reported in my blog Insecurity at Orkut. However, as I didn't want risk "crying wolf" this time, so my friend and I triple checked this and have confirmed this privacy flaw.
They only way that I know of to avoid this is in your prefences to set that all of your messages should be sent to you via the web, not email. [Updated: I was wrong, there is no way currently to avoid this other then not using an email address you care about.]
There are some that will say that this is a feature, i.e. when using email "what good is communicating with someone if there is no chance of a response" -- my answer to this is that an expectation has been set that email addresses can remain private, and if this is to be a feature, then users should be warned before sending an email "Your email address user@domain will be revealed when you send this." More ideally, like other social networking services, the "Reply-to:" should be to a special email address at Orkut that will do the lookup and forward appropriately.
One of the essential problems that Orkut needs to fix very soon is how to report problems like these, and if you are trying to help how to know that these problems exist. I want my criticism to be constructive, but it is very hard when you have no idea what is the best way to offer feedback. I've had many people reply to me in my blog and via email that they feel the same way.
For instance, right now there are 6 Orkut groups about Orkut:
Which groups should I post this problem to? Which will will be read by the Orkut staff?
As I've said in another of my blog postings Followup on Orkut:
Part of the problem is that even though Orkut is in beta, there is no organized feedback system. For instance they could offer a forum read by the developers, or even better a bug/issues tracking system like TypePad has, or Bugzilla.
In addition, feedback is a two-way street -- they could do a lot by offering a developers daily blog, or some type of regular announcement of what feature they wanted beta testers to test that day, or even acknowledgement "we already know that is an issue". Also, they need to show respect for good feedback publicly, as that will encourage more good feedback.
None of this is happening at this time, which means that people get frustrated, which also makes it easy rumors and conspiracy to spread. I want to be a constructive critic, but Orkut makes it hard for me to be so.
For now, I recommend that these type of bug reports go into Orkut Beta. Why not in "Flaws in Orkut" or in one of the other groups? Because I feel that focusing on 'Flaws' is too strongly negative, and none of the others quite fit. I've been a software developer -- everything is a compromise and good design is hard. By staying on the topics of current features, feature requests, bugs, suggestions, and by encouraging constructive critism and a balance of both positive and negative feedback, this group will be the best community for us to help Orkut until they offer us better alternatives.