Please stop changing hats, it's embarrasing.
On Sat, Mar 15, 2014 at 7:36 PM, T Imbrahim <timbra...@techemail.com> wrote: > Is this treated with the same way that says that Remote File Inclusion is > not a security issue ? > > You don't follow? Implying ? > > I understand why nobody likes Google. If I 've found a vulnerability and > been treated like that for trying to help, I would rather sell it to the > black market or to some government. > > The NSA maybe is happy to buy a RFI on Google, im sure they could make > good use of that. Google is very deceptive in security matters. > > --- lcam...@coredump.cx wrote: > > From: Michal Zalewski <lcam...@coredump.cx> > To: timbra...@techemail.com > Cc: pr...@yahoo.co.uk, full-disclosure <full-disclosure@lists.grok.org.uk> > Subject: Re: [Full-disclosure] Fwd: Google vulnerabilities with PoC > Date: Sat, 15 Mar 2014 10:59:40 -0700 > > > A hacker exploits a JSON (javascript) object that has information of > interest for example holding some values for cookies. A lot of times that > exploits the same policy origin. The JSON object returned from a server can > be forged over writing javascript function that create the object. This > happens because of the same origin policy problem in browsers that cannot > say if js execution it different for two different sites. > > To be honest, I'm not sure I follow, but I'm fairly confident that my > original point stands. If you believe that well-formed JSON objects > without padding can be read across origins within the browser, I would > love to see more information about that. (In this particular case, it > still wouldn't matter because the response doesn't contain secrets, > but it would certainly break a good chunk of the Internet.) JSONP is a > different animal. > > /mz > > > > > _____________________________________________________________ > Are you a Techie? Get Your Free Tech Email Address Now! Visit > http://www.TechEmail.com > > _______________________________________________ > Full-Disclosure - We believe in it. > Charter: http://lists.grok.org.uk/full-disclosure-charter.html > Hosted and sponsored by Secunia - http://secunia.com/ > -- “There's a reason we separate military and the police: one fights the enemy of the state, the other serves and protects the people. When the military becomes both, then the enemies of the state tend to become the people.”
_______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/