lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite for Android: free password hash cracker in your pocket
[<prev] [next>] [thread-next>] [day] [month] [year] [list] 
Message-ID: <1089048790.40e990d6634ce@www.mailsurf.com>
From: amforward at mailsurf.com (amforward@...lsurf.com)
Subject: Gmail Information Disclosure Vulnerability

System Outage wrote:
|...why do many decide to post the exploit along with the advisory.

I'd like to draw your attention to the fact that the accompanying code to the 
advisories you talk about is usually not referred to as "exploits." These are 
actually called "proof of concepts."

It's true some people misuse them, but these "exploits" do help greatly in 
understanding the problem, finding more similar/related problems, and even 
patching it/them.

|...a serious hole exposed to the public, before the vendor (Gmail) has had a 
|chance to scramble |together an incident response and get the hole patched 
|out, before a serious number of account's |become compromised on the service.

I agree with you. "Serious" holes should be reported to the vendor some time 
before it's disclosed to public. Patience is a must in this case (not infinite 
though). However, I don't think this applies to the thread we are talking 
about. This is a vulnerability with very low severity. This is also a beta 
service and you should use it at your own risk.

Aside from that,
I am, however, still concerned whether this vulnerability can be escalated to 
higher severity. Could the same problem exist with other scripts? Can I edit my 
profile, for example, and find someone else's profile, and perhaps his secret 
answer?

Your thoughts are highly appreciated.

Regards,
Ahmed Motaz

------------------------------------------------------
Mailsurf.com your communication portal for SMS,
Email, Fax, E-Cards and more. www.mailsurf.com

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ