('binary' encoding is not supported, stored as-is)
I accidently discovered a gaping security hole at digg.com the other day, and like any conscientious white-hatter I reported it to the Digg crew via the 'report a web site bug' link, and by emailing abuse_at_digg.com.
Details of the flaw, and a proof of concept can be found here:
http://www.quicksilverscreen.com/archive/2006/05/11/digg_it_whether_you_like_it_or
They ignored me, so I went public: http://digg.com/security/Digg_it,_whether_you_like_it_or_not_
Diggs response was that they don't consider this a security hole, and they removed the article:
http://digg.com/security/Digg_it,_whether_you_like_it_or_not_#1684258
In an email I recieved later one of their developers told me that unless I can show them otherwise, they would not consider this a security problem, and would not fix it.
I encourage anyone who feels, like I do, that the ability to take an action utilizing another users credentials, and account, without their knowledge or permission is a security hole to write digg and explain your feelings.
The email is abuse_at_digg.com.
Thanks,
Steve Thompson
PS. This is my first post to the list, so I hope I am not out of line in posting this here. I'm not primarily a 'security guy'.
Received on May 11 2006
Intro
