Vulnerability Development mailing list archives
Digg Security.
From: steve () quicksilverscreen com
Date: 11 May 2006 21:17:07 -0000
I accidently discovered a gaping security hole at digg.com the other day, and like any conscientious white-hatter I reported it to the Digg crew via the 'report a web site bug' link, and by emailing abuse () digg com. Details of the flaw, and a proof of concept can be found here: http://www.quicksilverscreen.com/archive/2006/05/11/digg_it_whether_you_like_it_or They ignored me, so I went public: http://digg.com/security/Digg_it,_whether_you_like_it_or_not_ Diggs response was that they don't consider this a security hole, and they removed the article: http://digg.com/security/Digg_it,_whether_you_like_it_or_not_#1684258 In an email I recieved later one of their developers told me that unless I can show them otherwise, they would not consider this a security problem, and would not fix it. I encourage anyone who feels, like I do, that the ability to take an action utilizing another users credentials, and account, without their knowledge or permission is a security hole to write digg and explain your feelings. The email is abuse () digg com. Thanks, Steve Thompson PS. This is my first post to the list, so I hope I am not out of line in posting this here. I'm not primarily a 'security guy'.
Current thread:
- Digg Security. steve (May 11)
- Re: Digg Security. Jon Keating (May 11)
- RE: Digg Security. Rocky (May 11)
- <Possible follow-ups>
- Re: Re: Digg Security. steve (May 12)
- Re: Digg Security. Jon Keating (May 11)