Full Disclosure mailing list archives
Re: Gmail Information Disclosure Vulnerability
From: Remko Lodder <remko () elvandar org>
Date: Mon, 05 Jul 2004 22:53:54 +0200
Hi maarten, and the rest, Maarten wrote:
On Monday 05 July 2004 19:42, Eric LeBlanc wrote:On Mon, 5 Jul 2004, System Outage wrote:I agree with "System Outage". Gmail clearly told us that their website is in BETA stage.Beta, alpha, released, yada yada. Gmail is OPEN for the public, albeit you need "an invitation". Thus, enough reason to disclose security holes.
It's being used by others then gmail personel, so privacy and information that could be YOURS is at stake here. You just opened up a e-creditcard and got the numbers and information stolen, woeps, sorry, since it was vulnerable, now i have the codes as well. I need a car, i will use your creditcard. Thank you very much mister X, saved me a lot of money (ofcourse there can be other things in your mailbox as well...)
For me, when a software is in 'BETA' (or 'ALPHA'), we SHOULD expect that this software MAY HAVE security holes. That's why they want us to test this site before going to the public release, and it's our job to notify to the gmail team all bugs AND security holes we may find. As long as this website is in beta stage, all advisory that someone may send in this list or elsewhere are NOT considered 'Security Advisory' for me.
I do consider them as Security-Advisory. It's being used in the wild, more and more people are using it, and more and more information is at risk. Disclosing a bug first to gmail and then to FD is a normal way of responding to bugs. That way we ALL profit from it.
The original author may not receive answers from the Gmail Team, but this site is NOT IN PRODUCTION. When gmail site will be official and when this bug is still there, NOW you can publish your security advisory.
What exactly do you want to tell us? Wait until hunderd(s) people more are vulnerable for privacy disclosure? Some how i get the feeling you came from mars with happy campers that don't care about privacy and disclosing information that could risk your privacy.
Futhermore, the best people for testing the software (bugs and security holes) is the public. They can do many things which we will never thought or imagined.
Indeed, that is why gmail is letting people in , and the group is getting bigger, finding bugs, reporting them to gmail and then disclose them is a normal way to follow.
BTW, I'm sure that the Gmail developers expect that the public will find some security holes... If we must publish all security advisorys about beta software, this list will be flooded...
Beta software is not always used by thousands of people which get larger every day...Still i like the disclosure so i know that there are bugs taken out of the system before production. I would get an itch if i never heared of bugs of the application before. That means that with current state of coding and defense mechanism's there are a LOTS of bugs still present in the system. Now i would not use that ever in my life..
The very reason to HAVE a beta test phase is to find and flush out bugs early. Doing that, the released program can be as flawless as can be. So when would you suggest disclosing bugs is a good time ? Release date being too late...
Exactly, disclose to gmail now, and then inform the public. Again and i repeat that again, it's a normal way of handling.
Maarten
Cheers -- Kind regards, Remko Lodder |remko () elvandar org Reporter DSINet |remko () dsinet org Projectleader Mostly-Harmless |remko () mostly-harmless nl _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Current thread:
- Re: Gmail Information Disclosure Vulnerability, (continued)
- Re: Gmail Information Disclosure Vulnerability Syke (Jul 05)
- RE: Gmail Information Disclosure Vulnerability Mark Laurence (Jul 05)
- Re: Gmail Information Disclosure Vulnerability Will Image (Jul 05)
- Re: Gmail Information Disclosure Vulnerability Tremaine (Jul 05)
- Re: Gmail Information Disclosure Vulnerability System Outage (Jul 05)
- Re: Gmail Information Disclosure Vulnerability Rodrigo Barbosa (Jul 05)
- Re: Gmail Information Disclosure Vulnerability Eric LeBlanc (Jul 05)
- Re: Gmail Information Disclosure Vulnerability Tremaine (Jul 05)
- Re: Gmail Information Disclosure Vulnerability System Outage (Jul 05)
- Re: Gmail Information Disclosure Vulnerability Maarten (Jul 05)
- Re: Gmail Information Disclosure Vulnerability Remko Lodder (Jul 05)
- Re: Gmail Information Disclosure Vulnerability Eric LeBlanc (Jul 05)
- Re: Gmail Information Disclosure Vulnerability a (Jul 11)
- Re: Gmail Information Disclosure Vulnerability Maarten (Jul 05)
- Re: Gmail/Yahoo! System Outage (Jul 05)
- Re: Gmail/Yahoo! VX Dude (Jul 06)
- Re: Yahoo! System Outage (Jul 07)
- Re: Yahoo! Geoffrey Huntley (Jul 07)
- Re: Yahoo! System Outage (Jul 07)
- Re: Yahoo! System Outage (Jul 07)
- RE: Gmail Information Disclosure Vulnerability Rodrigo Gutierrez (Jul 06)