Nmap Security Scanner
*Intro
*Ref Guide
*Install Guide
*Download
*Changelog
*Book
*Docs
Security Lists
*Nmap Hackers
*Nmap Dev
*Bugtraq
*Full Disclosure
*Pen Test
*Basics
*More
Security Tools
*Pass crackers
*Sniffers
*Vuln Scanners
*Web scanners
*Wireless
*Exploitation
*Packet crafters
*More
Site News
Site Search:
Exploit World
Advertising
About/Contact
Credits
Sponsors:

Vulnerability Development mailing list archives

Digg Security.
From: steve () quicksilverscreen com
Date: 11 May 2006 21:17:07 -0000
I accidently discovered a gaping security hole at digg.com the other day, and like any conscientious white-hatter I 
reported it to the Digg crew via the 'report a web site bug' link, and by emailing abuse () digg com  

Details of the flaw, and a proof of concept can be found here:
http://www.quicksilverscreen.com/archive/2006/05/11/digg_it_whether_you_like_it_or

They ignored me, so I went public:  http://digg.com/security/Digg_it,_whether_you_like_it_or_not_

Diggs response was that they don't consider this a security hole, and they removed the article:
 http://digg.com/security/Digg_it,_whether_you_like_it_or_not_#1684258

In an email I recieved later one of their developers told me that unless I can show them otherwise, they would not 
consider this a security problem, and would not fix it.

I encourage anyone who feels, like I do, that the ability to take an action utilizing another users credentials, and 
account, without their knowledge or permission is a security hole to write digg and explain your feelings.

The email is abuse () digg com 

Thanks,
 Steve Thompson

PS. This is my first post to the list, so I hope I am not out of line in posting this here. I'm not primarily a 
'security guy'.

  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]