Home page logo

basics logo Security Basics mailing list archives

Re: Is Basecamp - risky?
From: fukami <fukami () sektioneins de>
Date: Fri, 14 Sep 2007 21:17:22 +0200

On 14.09.2007, at 16:53, Jax Lion wrote:

Has your company or client use this tool or similar? What are the risk
of online collaboration tools? What were the steps taken to reduce the

My old company used Basecamp. It has still a lot of XSS problems. I told David Heinemeier Hansen who answered the following:

You can insert HTML many places in Basecamp by design. That's because the system is not public and working under the assumption that you only give access to people you trust. Which is very different from, say, an online discussion forum where everyone has access (and where you do need to worry about XSS).
David Heinemeier Hansson
Team Basecamp

That was more than a year ago. In between DanBUK and me had some fun with an automation POC of time management and I used a (non-public) Basecamp AIR app for demonstrating an account take-over.

So the short answer is: Don't use Basecamp if you care about security.

Take care,

  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]