lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Message-ID: <1394882848.51304.YahooMailNeo@web172502.mail.ir2.yahoo.com>
Date: Sat, 15 Mar 2014 11:27:28 +0000 (GMT)
From: M Kirschbaum <pr0ix@...oo.co.uk>
To: Mario Vilas <mvilas@...il.com>
Cc: "full-disclosure@...ts.grok.org.uk" <full-disclosure@...ts.grok.org.uk>
Subject: Re: Google vulnerabilities with PoC

Dear Mario,
 
There is nothing to gain being on either side. I have already read the thread replies by M. Zalewski. I believe Google is false and does not honor the security community.
 Rgds,

M. Kirschbaum 
 
 
 
 
 



On Saturday, 15 March 2014, 11:11, Mario Vilas <mvilas@...il.com> wrote:
  
I believe Zalewski has explained very well why it isn't a vulnerability, and you couldn't possibly be calling him hostile. :) 



On Sat, Mar 15, 2014 at 11:20 AM, M Kirschbaum <pr0ix@...oo.co.uk> wrote:

I have been watching this thread for a while and I think some people are being hostile here. 
>  
>There is nothing to gain being on eithers side but for the sake of security. As a penetration tester, writer, and malware analyst with a long and rewarding career...it would be absurd to admit that this is not a vulnerability. If the content-type fields can be altered and the API accepts it that is undoubtedly a vulnerability, I believe that it shouldn't be there. It would be a shame to say that this is not a security problem. I have seen different responses on this thread but having seen the proof of concept images as well I just think that some of the people commenting here are just being hostile. 
>  
>It doesn't take much for somebody in the field, to see clearly that Google does not want to pay. And I bet any amount of money that the bug bounty program is a way for filing potential threats by name and bank details. 
> 
>Rgds,
>M. Kirschbaum  
> 
>_______________________________________________
>Full-Disclosure - We believe in it.
>Charter: http://lists.grok.org.uk/full-disclosure-charter.html
>Hosted and sponsored by Secunia - http://secunia.com/
>


-- 
“There's a reason we separate military and the police: one fights the enemy of the state, the other serves and protects the people. When the military becomes both, then the enemies of the state tend to become the people.”
Content of type "text/html" skipped

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ