lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <200407052109.53512.fulldisc@ultratux.org>
From: fulldisc at ultratux.org (Maarten)
Subject: Gmail Information Disclosure Vulnerability

On Monday 05 July 2004 19:42, Eric LeBlanc wrote:
> On Mon, 5 Jul 2004, System Outage wrote:

> I agree with "System Outage".  Gmail clearly told us that their website is
> in BETA stage.

Beta, alpha, released, yada yada.  Gmail is OPEN for the public, albeit you 
need "an invitation".  Thus, enough reason to disclose security holes.

> For me, when a software is in 'BETA' (or 'ALPHA'), we SHOULD expect that
> this software MAY HAVE security holes.  That's why they want us to test
> this site before going to the public release, and it's our job to notify
> to the gmail team all bugs AND security holes we may find.  As long as
> this website is in beta stage, all advisory that someone may send in this
> list or elsewhere are NOT considered 'Security Advisory' for me.

Hm.  By that standard, we could not ever disclose stuff about microsoft 
software.  Cause their stuff is indefinitely beta, hahaha.  ;-)

> The original author may not receive answers from the Gmail Team, but this
> site is NOT IN PRODUCTION.  When gmail site will be official and when this
> bug is still there, NOW you can publish your security advisory.

So, the solution to having embarrassing security problems published is never 
declare the program "Released".  Can someone please tell microsoft? They'd be 
real interested to declare IE and Outlook beta-software forever in that case. 

> Futhermore, the best people for testing the software (bugs and security
> holes) is the public.  They can do many things which we will never
> thought or imagined.

Well now, isn't this  e x a c t l y  what's happening here ?

> BTW, I'm sure that the Gmail developers expect that the public will find
> some security holes...
>
> If we must publish all security advisorys about beta software, this list
> will be flooded...

The very reason to HAVE a beta test phase is to find and flush out bugs early. 
Doing that, the released program can be as flawless as can be.  So when would 
you suggest disclosing bugs is a good time ? Release date being too late... 

Maarten

-- 
Yes of course I'm sure it's the red cable. I guarante[^%!/+)F#0c|'NO CARRIER


Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ