Re: [Full-Disclosure] Gmail Information Disclosure Vulnerability

amforward_at_mailsurf.com
Date: 07/05/04

Next message: Eric LeBlanc: "Re: [Full-Disclosure] Gmail Information Disclosure Vulnerability"

Previous message: Rodrigo Barbosa: "Re: [Full-Disclosure] Gmail Information Disclosure Vulnerability"
Maybe in reply to: amforward_at_mailsurf.com: "[Full-Disclosure] Gmail Information Disclosure Vulnerability"
Next in thread: System Outage: "Re: [Full-Disclosure] Gmail Information Disclosure Vulnerability"
Reply: System Outage: "Re: [Full-Disclosure] Gmail Information Disclosure Vulnerability"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

To: system_outage@yahoo.com
Date: Mon,  5 Jul 2004 17:33:10 +0000

System Outage wrote:
|...why do many decide to post the exploit along with the advisory.

I'd like to draw your attention to the fact that the accompanying code to the
advisories you talk about is usually not referred to as "exploits." These are
actually called "proof of concepts."

It's true some people misuse them, but these "exploits" do help greatly in
understanding the problem, finding more similar/related problems, and even
patching it/them.

|...a serious hole exposed to the public, before the vendor (Gmail) has had a
|chance to scramble |together an incident response and get the hole patched
|out, before a serious number of account's |become compromised on the service.

I agree with you. "Serious" holes should be reported to the vendor some time
before it's disclosed to public. Patience is a must in this case (not infinite
though). However, I don't think this applies to the thread we are talking
about. This is a vulnerability with very low severity. This is also a beta
service and you should use it at your own risk.

Aside from that,
I am, however, still concerned whether this vulnerability can be escalated to
higher severity. Could the same problem exist with other scripts? Can I edit my
profile, for example, and find someone else's profile, and perhaps his secret
answer?

Your thoughts are highly appreciated.

Regards,
Ahmed Motaz

------------------------------------------------------
Mailsurf.com your communication portal for SMS,
Email, Fax, E-Cards and more. www.mailsurf.com

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

Next message: Eric LeBlanc: "Re: [Full-Disclosure] Gmail Information Disclosure Vulnerability"

Previous message: Rodrigo Barbosa: "Re: [Full-Disclosure] Gmail Information Disclosure Vulnerability"
Maybe in reply to: amforward_at_mailsurf.com: "[Full-Disclosure] Gmail Information Disclosure Vulnerability"
Next in thread: System Outage: "Re: [Full-Disclosure] Gmail Information Disclosure Vulnerability"
Reply: System Outage: "Re: [Full-Disclosure] Gmail Information Disclosure Vulnerability"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]