Re: [Full-Disclosure] Slashdot: Gmail Accounts Vulnerable to XSS Exploit

From: n3td3v (xploitable_at_gmail.com)
Date: 10/31/04

  • Next message: Jason: "Re: [Full-Disclosure] Slightly off-topic: www.georgewbush.com" 
    To: full-disclosure@lists.netsys.com
Date: Sun, 31 Oct 2004 03:22:57 +0000

    I feel sorry for all the security pros outside of gmail and google, so
    I say the below on behalf of them...

    Should the general public be expecting a disclosure of the
    vulnerability to security mailing lists once a solution has been
    implemented to patch the hole, so other web-based services are aware
    of the possibility of the same problem being an issue for them, or
    should gmail be keeping everything secret after they patch.

    I guess if gmail team did not want to make a public disclosure of the
    vulnerability, the gmail folks would send a private e-mail to people
    like yahoo, if it was found to be a current issue for other webbased
    e-mail services, or in future possibilities.

    If none of the above, can we expect the "hacker" to make an
    announcement once he has heard back from the vendor that a solution
    and patch has been implemented.

    If this was a private disclosure, then no one would be asking for a
    public announcement of the vulnerability, but since this has been made
    into a public, high profile disclosure, is it not right in the public
    interest for ethier the "hacker" or gmail team to make the
    vulnerability known, after its safe to do so.

    Thanks,

    n3td3v

    _______________________________________________
    Full-Disclosure - We believe in it.
    Charter: http://lists.netsys.com/full-disclosure-charter.html

  • Next message: Jason: "Re: [Full-Disclosure] Slightly off-topic: www.georgewbush.com"

    Relevant Pages