Threat Level: green Handler on Duty: Didier Stevens

SANS ISC: InfoSec Handlers Diary Blog - Gmail javascript vulnerability (fixed) InfoSec Handlers Diary Blog


Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!

Gmail javascript vulnerability (fixed)

Published: 2006-03-02
Last Updated: 2006-03-02 01:47:01 UTC
by Swa Frantzen (Version: 1)
0 comment(s)
Earlier today we received a report of a javascript vulnerability in gmail. We contacted Google and in the mean time they reported back on it being fixed. The issue seemed rather trivial to exploit.

Our Google contact also pointed out:
In the interest of minimizing the impact that security vulnerabilities have on our end users, we highly encourage anyone who discovers a vulnerability in a Google product or service to follow responsible disclosure policies by contacting us first at security/at/google/dot/com .

I'm sure most users of gmail would rather have security issues handled like they suggest above instead of having it published on some blog first, next some reader finding it and us finally doing the right thing.

Is it that much to ask to send it off to the vendor first ? Even if some vendors wait like forever, or take years to fix things. Not all of them are that way, so let's at the very least give them a heads-up warning.

And if you cannot find the address where to do it, we'll gladly help you search for it.

--
Swa Frantzen
Keywords:
0 comment(s)
Diary Archives