Teen finds bugs in Google, Facebook, Apple, Microsoft code

[InfoSec News <alerts () infosecnews org>]

http://news.cnet.com/8301-27080_3-57369971-245/teen-finds-bugs-in-google-facebook-apple-microsoft-code/

By Elinor Mills
InSecurity Complex
CNet News
February 2, 2012

When he's not at school, 15-year-old Cim Stordal spends his time playing 
the Team Fortress video game, shooting his Airsoft pellet gun, and 
working in a fish shop in Bergen, Norway. But his real passion is 
finding bugs in software used by millions of people on the Internet.

Stordal has made the Google Security Hall of Fame, been credited with 
disclosing a cross-site scripting bug to Apple, been thanked by 
Microsoft for disclosing a vulnerability to the company, and received an 
elite White Hat Visa card from Facebook with $500 credit on it.

"I got a card for a self-persistent XSS [cross-site scripting flaw] at 
Facebook, and a nonpersistent XSS at Google, Microsoft, and Apple," he 
said in a recent Skype interview with CNET. (As a "self-persistent" 
issue, the bug Stordal disclosed was not exploitable by a third-party 
because it required a user to take an action to be at risk, according to 
Facebook.)

"I just look around at the site and find out where I can input HTML and 
stuff and it's not filtered in the source code. Often they filter some 
characters but forget some or they totally forget that input," he said. 
"What an attacker wants is often the cookie, which can be used to log-in 
as the user."

[...]


_____________________________________________________
Did a friend send you this article? Make it your
New Year's Resolution to subscribe to InfoSec News!
http://www.infosecnews.org/mailman/listinfo/isn