lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <20040705190733.94211.qmail@web53207.mail.yahoo.com>
From: system_outage at yahoo.com (System Outage)
Subject: Gmail Information Disclosure Vulnerability

I fully agree with you on this topic. I found it hard to believe users were posting advisories for Gmail before public release. In my view all issues should be directed to Gmail and if the user wishes to use lists, such as FD. The user should wait until the service is available to the public and then, perhaps, send it to FD for discussion. 
 
The user could also state the discovery date and various other timeline dates, to give the user some better acknowledgement in the advisory. This will prove (If the user wishes it to be known) they did find the hole at the Beta stage and that Gmail let it slip through the net.
 
I suspect -alot- of vulnerabilities will come to light of the week that Gmail makes the service public. I think alot of users are holding back until then, I maybe wrong though.
 
 
Cheerio
 


Eric LeBlanc <inouk@....net> wrote:
I agree with "System Outage". Gmail clearly told us that their website is
in BETA stage.

For me, when a software is in 'BETA' (or 'ALPHA'), we SHOULD expect that
this software MAY HAVE security holes. That's why they want us to test
this site before going to the public release, and it's our job to notify
to the gmail team all bugs AND security holes we may find. As long as
this website is in beta stage, all advisory that someone may send in this
list or elsewhere are NOT considered 'Security Advisory' for me.

The original author may not receive answers from the Gmail Team, but this
site is NOT IN PRODUCTION. When gmail site will be official and when this
bug is still there, NOW you can publish your security advisory.

Futhermore, the best people for testing the software (bugs and security
holes) is the public. They can do many things which we will never
thought or imagined.

BTW, I'm sure that the Gmail developers expect that the public will find
some security holes...

If we must publish all security advisorys about beta software, this list
will be flooded...

E.
--
Eric LeBlanc
inouk@....net
--------------------------------------------------
UNIX is user friendly.
It's just selective about who its friends are.
==================================================



_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

		
---------------------------------
Do you Yahoo!?
Take Yahoo! Mail with you! Get it on your mobile phone.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.grok.org.uk/pipermail/full-disclosure/attachments/20040705/d0dea567/attachment.html

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ