Comments on: Website Vulnerability Research and Disclosure

By: Jim Jones

Jim Jones — Sun, 01 Aug 2010 17:19:40 +0000

“….what about the 7.8 million vulnerabilities (plus) already out there?”

Stop using WinBlows and Hackintosh. Require TLS 1.2 & stop all other ssl key negotiation at core routers. Require 4G….. its a start…

By: Rob Lewis

Rob Lewis — Fri, 18 Jun 2010 01:46:24 +0000

Nice post. A sound position to take going forward.

As Jeremiah says though, what about the 7.8 million vulnerabiltlies (plus) already out there?

By: OscarZ

OscarZ — Thu, 17 Jun 2010 14:45:47 +0000

Interesting comments.

As a long time vuln analyst, I am uncomfortable seeing Goatse here in this difficult position. I will be surprised if they do not get criminal charges. Unfortunately, we know what they did was ethical, well meaning (probably had some ‘not so well meaning motives’ as well, but not nasty ones)… and simply inexperienced.

This is, really, a new situation.

Best for everyone: if it is taken into consideration that the webpages were publicly accessible, and that the vendor was warned, further that no data was abused.

This sort of disclosure has been done plenty of times in the past. What is the difference here?

The political environment is one. People are increasingly impatient with the Apple-ATT romance. There has been a confluence of bad slips in this relationship recently which has raised this issue already to the surface.

Two, they did not just say, “this error is on the site”. They did not just prove one access could be done. They proved well over a hundred thousand. And they sent that proof – confidential data – to journalists. Who knows where else they sent it? That forces an investigation.

Three, they grabbed the email addresses of a huge range of powerful people. People who do not necessarily grasp the meaning and context of the research, just as many journalists do not.

(Read: hyped news stories and inaccurate depictions of ‘what really happened’. No one was really “hacked”. It was a research discovery. As far as we know at this time.)

Four, the ipad is huge and just came out.

For us in comp sec, however, it highlights just how shoddy websites are in comparison with desktop and network applications. Further, how these two are very much entwined, regardless.

It is a sort of cloud attack.

There has to be room here for stronger pressure from the ethical research community for corporations to cover their web app bases. Just as there was and is in the full disclosure movement on applications people can lawfully pry into.

But how is this to really be done in a comparative way?

Hard problem.

By: mac

mac — Wed, 16 Jun 2010 14:21:41 +0000

When is work “research” and when is it just plain “hacking”? Can anyone just claim that they did “something” in the name of science as a “researcher”?

By: Andy Steingruebl

Andy Steingruebl — Mon, 14 Jun 2010 22:05:46 +0000

To self-promote a little – some people do have website vulnerability disclosure policies that allow researchers to responsibly disclose without fear of prosecution.

Security Disclosure Policies That Remove Chilling Effects
http://securityretentive.blogspot.com/2009/12/security-disclosure-policies-that.html