| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Sat, 2 May 2009 23:02:23 -0400 From: ghost <ghosts@...il.com> Cc: full-disclosure@...ts.grok.org.uk Subject: Re: PayPal donation form reveals beneficiary's email address You wrote a security advisory with 11 references which you provided on the bottom simply to say... paypal leaks your e-mail address. The security industry is not for you, go back to checkers. On Sat, May 2, 2009 at 3:52 PM, Eitan Caspi <eitancaspi@...oo.com> wrote: > I agree Frank, and so I wrote "By clicking a recent version (so I believe, I can't trace and test various versions) of a PayPal Donation button...". > > It doesn't happen in ALL of the donation buttons. I also believe this happens mostly in button codes created by the PayPal site and less or at all in donation buttons/forms manually created by the beneficiary at its own site, and I think the site you linked to is made just with this kind of manual code. > > Eitan > > -----Original Message----- > From: Frank Dietrich [mailto:bits_n_bytes@....de] > Sent: Saturday, May 02, 2009 8:50 PM > To: full-disclosure@...ts.grok.org.uk > Cc: eitancaspi@...oo.com > Subject: Re: [Full-disclosure] PayPal donation form reveals beneficiary's email address > > Hi Eitan, > > Eitan Caspi <eitancaspi@...oo.com> wrote: >>3. At the donation request page you landed at click the donation >>button ... >>[...] >>4. Read the beneficiary's primary email address at the top of the >>donation form in PayPal (located in the "h1" section of the HTML >>code of the form). > > May be not true for every paypal donation form. > If you click on following site on the doante button > http://www.art-stream.org/donate.php#donate-now > there is no email address in the page source. > Or I don't get the point. > > regards > Frank > -- > > > _______________________________________________ > Full-Disclosure - We believe in it. > Charter: http://lists.grok.org.uk/full-disclosure-charter.html > Hosted and sponsored by Secunia - http://secunia.com/ > _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Powered by blists - more mailing lists