lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <Pine.LNX.4.44.0407051330110.30836-100000@toutatis.igt.net>
From: inouk at igt.net (Eric LeBlanc)
Subject: Gmail Information Disclosure Vulnerability

On Mon, 5 Jul 2004, System Outage wrote:

> If it's about posting advisories, why do many decide to post the exploit along with the advisory. To me this is not a responsible thing to do. Whoever knows how many script kiddies are sleeping on this list and taking advantage of the free exploit giveaway's seen here.
>
> 10 days isn't an awful long time and the vendor never made primary contact with the user in question. Meaning, for whatever reason the e-mail may not have been delivered and because of this the Gmail Team could easily of been caught short on this issue and a serious hole exposed to the public, before the vendor (Gmail) has had a chance to scramble together an incident response and get the hole patched out, before a serious number of account's become compromised on the service.
>
> There is a difference between responsible "Full Disclosure" and irresponsible "Full Disclosure".
>
>
> Cheerio
>
> Tremaine <tremaine@...il.com> wrote:
> It's about posting security advisories. The initial poster advises
> they notified the gmail team, and posted this advisory 10 days later.
>
> It is immaterial whether an application is in alpha, beta or
> production. If the software or application is in use outside the
> development team, and there is a security issue, it is relevant to
> this list.
>
>
> It's called Full Disclosure for a reason... not partial disclosure,
> not disclosure of production applications only... Full Disclosure.
>
> If you want partial disclosure, you may need to rethink your
> subscription to the list.
>
>
>
> --
> Tremaine
> IT Security Consultant
>

I agree with "System Outage".  Gmail clearly told us that their website is
in BETA stage.

For me, when a software is in 'BETA' (or 'ALPHA'), we SHOULD expect that
this software MAY HAVE security holes.  That's why they want us to test
this site before going to the public release, and it's our job to notify
to the gmail team all bugs AND security holes we may find.  As long as
this website is in beta stage, all advisory that someone may send in this
list or elsewhere are NOT considered 'Security Advisory' for me.

The original author may not receive answers from the Gmail Team, but this
site is NOT IN PRODUCTION.  When gmail site will be official and when this
bug is still there, NOW you can publish your security advisory.

Futhermore, the best people for testing the software (bugs and security
holes) is the public.  They can do many things which we will never
thought or imagined.

BTW, I'm sure that the Gmail developers expect that the public will find
some security holes...

If we must publish all security advisorys about beta software, this list
will be flooded...

E.
--
Eric LeBlanc
inouk@....net
--------------------------------------------------
UNIX is user friendly.
It's just selective about who its friends are.
==================================================




Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ