Full Disclosure mailing list archives

Re: Gmail Information Disclosure Vulnerability

From: "D.J. Capelis" <djcapelisp () yahoo com>
Date: Sun, 4 Jul 2004 17:41:19 -0700 (PDT)

The notion that this list is only for reporting
bugs in software that isn't in beta is absurd. 
If there's a major vulnerablity in gaim or
firefox I'd expect to hear about them on this
list.  (Both are in beta (firefox is alpha I
think they like to say these days?))  If there is
a large userbase using it that is vulnerable to a
security concern then it should be on this list. 
That's what this list is about, making people
aware and sharing new security vulnerabilities.

So stop shouting that (s)he's losing
"credibility" in the "scene."  In my eyes he
gained a lot by actually classifying his neat
little hack by saying it's got a really low
severity.  (And by finding a small hole in gmail,
there's plenty of people looking and google has
some great coders.)  More "respected" security
firms should take a leaf from his/her book and
learn to mark severity of their discoveries
correctly.

(And really?  The security "scene?"  What is this
too you, a little social teaparty?)

~D.J. Capelis~
Security and Cryptography Researcher

--- System Outage <system_outage () yahoo com>
wrote:

Gmail service is in Beta. You have no
credibility posting this advisory. The correct
channel to post such "bugs" is the Gmail
contact link for "bug reports". 
 
If you weren't a script kiddie or scene whore,
you would have known to hold information until
such a time that Gmail became a public service.
 
Then and only then would anyone take this
advisory seriously!
 
You obviously have no understanding of the
"Beta" state of a development. The fact that a
team of developers are in the state of "Beta"
means that the developers are fully aware the
service may not be entirely secure and they
wish feedback via Google's own beta "bug
report" channels.
 
All in all, this is  a "beta bug report" and
nothing else. If you had waited until the Gmail
dev team declared gmail a public release, you
would have gained more respect in the security
community scene.
 
Cheerio





        
                
__________________________________
Do you Yahoo!?
New and Improved Yahoo! Mail - 100MB free storage!
http://promotions.yahoo.com/new_mail 

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

Current thread:

Gmail Information Disclosure Vulnerability amforward (Jul 04)
- Re: Gmail Information Disclosure Vulnerability System Outage (Jul 04)
  - Re: Gmail Information Disclosure Vulnerability D.J. Capelis (Jul 04)
  - Re: Gmail Information Disclosure Vulnerability Rudolf Polzer (Jul 05)
- <Possible follow-ups>
- Re: Gmail Information Disclosure Vulnerability amforward (Jul 05)
  - Re: Gmail Information Disclosure Vulnerability System Outage (Jul 05)
    - Re: Gmail Information Disclosure Vulnerability Syke (Jul 05)
    - RE: Gmail Information Disclosure Vulnerability Mark Laurence (Jul 05)
    - Re: Gmail Information Disclosure Vulnerability Will Image (Jul 05)
    - Re: Gmail Information Disclosure Vulnerability Tremaine (Jul 05)
    - Re: Gmail Information Disclosure Vulnerability System Outage (Jul 05)
    - Re: Gmail Information Disclosure Vulnerability Rodrigo Barbosa (Jul 05)
    - Re: Gmail Information Disclosure Vulnerability Eric LeBlanc (Jul 05)

(Thread continues...)