Threat Level: green Handler on Duty: Johannes Ullrich

SANS ISC: Gmail javascript vulnerability (fixed) - SANS Internet Storm Center SANS ISC InfoSec Forums

Watch ISC TV. Great for NOCs, SOCs and Living Rooms:

Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!
Gmail javascript vulnerability (fixed)
Earlier today we received a report of a javascript vulnerability in gmail. We contacted Google and in the mean time they reported back on it being fixed. The issue seemed rather trivial to exploit.

Our Google contact also pointed out:
In the interest of minimizing the impact that security vulnerabilities have on our end users, we highly encourage anyone who discovers a vulnerability in a Google product or service to follow responsible disclosure policies by contacting us first at security/at/google/dot/com .

I'm sure most users of gmail would rather have security issues handled like they suggest above instead of having it published on some blog first, next some reader finding it and us finally doing the right thing.

Is it that much to ask to send it off to the vendor first ? Even if some vendors wait like forever, or take years to fix things. Not all of them are that way, so let's at the very least give them a heads-up warning.

And if you cannot find the address where to do it, we'll gladly help you search for it.

Swa Frantzen

760 Posts
Mar 2nd 2006

Sign Up for Free or Log In to start participating in the conversation!