科技回声

9 条评论

fjarlq大约 13 年前

Great job, Nils. I didn't know Google doubles the reward if it goes to charity.I wonder why Microsoft doesn't have a similar program. Hotmail just got hacked pretty bad[1], and the hackers were selling the vulnerability for chump change in forums[2]. What if they had an incentive to report it to Microsoft instead?[1] <a href="http://www.vulnerability-lab.com/get_content.php?id=529" rel="nofollow">http://www.vulnerability-lab.com/get_content.php?id=529</a>[2] <a href="http://www.whitec0de.com/new-hotmail-exploit-can-get-any-hotmail-email-account-hacked-for-just-20/" rel="nofollow">http://www.whitec0de.com/new-hotmail-exploit-can-get-any-hot...</a>

评论 #3907074 未加载

citricsquid大约 13 年前

A slight tangent, but I'm curious, can Google claim the donation is from Google for tax purposes even though it's under the instruction of Nils instead of him receiving cash? If so, is that why they offer to double it?

评论 #3906862 未加载

评论 #3906798 未加载

评论 #3906752 未加载

评论 #3908174 未加载

评论 #3907485 未加载

mladenkovacevic大约 13 年前

Great work and your reward went to a good cause. World needs more of you.

alain94040大约 13 年前

I'm always curious as to why such an obvious bug couldn't be detected automatically. Some piece of code is printing a user name without sanitizing it. Fixing that particular bug is easy, but the real challenge is that the existence of the bug proves that your verification methodology has holes.

评论 #3907147 未加载

评论 #3907222 未加载

chris_wot大约 13 年前

Nice work InformationWeek. There's nothing like reporting on a story about XSS issues and finding that you have the same issue.Of course, InformationWeek might like to actually fix that bug. Sometime soon?

jenius大约 13 年前

This is so awesome. White hat security not only to make the internet more secure, but to make the world a better place. Hats off to you man, this is really fantastic.

vizzah大约 13 年前

I wonder what are implications of having XSS on .google.com these days? All auth cookies are likely to be http-only, so probably not a serious vulnerability?

评论 #3907263 未加载

tectonic大约 13 年前

I wrote a blog post about how I found a number of bugs in Gmail.<a href="http://blog.andrewcantino.com/blog/2011/12/14/hacking-google-for-fun-and-profit/" rel="nofollow">http://blog.andrewcantino.com/blog/2011/12/14/hacking-google...</a>

VMG大约 13 年前

the InformationWeek XSS is still there:<a href="http://www.informationweek.com/influencer/security/616a45777252657276506c6830533652356a525737513d3d" rel="nofollow">http://www.informationweek.com/influencer/security/616a45777...</a>

9 条评论

fjarlq大约 13 年前

评论 #3907074 未加载

citricsquid大约 13 年前

评论 #3906862 未加载

评论 #3906798 未加载

评论 #3906752 未加载

评论 #3908174 未加载

评论 #3907485 未加载

mladenkovacevic大约 13 年前

Great work and your reward went to a good cause. World needs more of you.

alain94040大约 13 年前

评论 #3907147 未加载

评论 #3907222 未加载

chris_wot大约 13 年前

jenius大约 13 年前

This is so awesome. White hat security not only to make the internet more secure, but to make the world a better place. Hats off to you man, this is really fantastic.

vizzah大约 13 年前

I wonder what are implications of having XSS on .google.com these days? All auth cookies are likely to be http-only, so probably not a serious vulnerability?

评论 #3907263 未加载

tectonic大约 13 年前

VMG大约 13 年前

How a tweet about a XSS bug within Google+ leads to XSS within InformationWeek

9 条评论

How a tweet about a XSS bug within Google+ leads to XSS within InformationWeek

9 条评论