Home page logo

fulldisclosure logo Full Disclosure mailing list archives

Re: Slashdot: Gmail Accounts Vulnerable to XSS Exploit
From: n3td3v <xploitable () gmail com>
Date: Sun, 31 Oct 2004 03:22:57 +0000

I feel sorry for all the security pros outside of gmail and google, so
I say the below on behalf of them...

Should the general public be expecting a disclosure of the
vulnerability to security mailing lists once a solution has been
implemented to patch the hole, so other web-based services are aware
of the possibility of the same problem being an issue for them, or
should gmail be keeping everything secret after they patch.

I guess if gmail team did not want to make a public disclosure of the
vulnerability, the gmail folks would send a private e-mail to people
like yahoo, if it was found to be a current issue for other webbased
e-mail services, or in future possibilities.

If none of the above, can we expect the "hacker" to make an
announcement once he has heard back from the vendor that a solution
and patch has been implemented.

If this was a private disclosure, then no one would be asking for a
public announcement of the vulnerability, but since this has been made
into a public, high profile disclosure, is it not right in the public
interest for ethier the "hacker" or gmail team to make the
vulnerability known, after its safe to do so.



Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]