[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [Full-disclosure] Google vulnerabilities with PoC
- To: full-disclosure@xxxxxxxxxxxxxxxxx, "ispcolohost@xxxxxxxxx" <ispcolohost@xxxxxxxxx>, "brian@xxxxxxxxxxxxxxxx" <brian@xxxxxxxxxxxxxxxx>, "lem.nikolas@xxxxxxxxx" <lem.nikolas@xxxxxxxxx>
- Subject: Re: [Full-disclosure] Google vulnerabilities with PoC
- From: M Kirschbaum <pr0ix@xxxxxxxxxxx>
- Date: Sat, 15 Mar 2014 10:20:20 +0000 (GMT)
I have been watching this thread for a while and I think some people are being
hostile here.
There is nothing to gain being on eithers side but for the sake of security. As
a penetration tester, writer, and malware analyst with a long and rewarding
career...it would be absurd to admit that this is not a vulnerability. If the
content-type fields can be altered and the API accepts it that is undoubtedly a
vulnerability, I believe that it shouldn't be there. It would be a shame to say
that this is not a security problem. I have seen different responses on this
thread but having seen the proof of concept images as well I just think
that some of the people commenting here are just being hostile.
It doesn't take much for somebody in the field, to see clearly that Google does
not want to pay. And I bet any amount of money that the bug bounty program is a
way for filing potential threats by name and bank details.
Rgds,
M. Kirschbaum
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/