n3td3v wrote:
Should the general public be expecting a disclosure of the
vulnerability to security mailing lists once a solution has been
implemented to patch the hole, so other web-based services are aware
of the possibility of the same problem being an issue for them, or
should gmail be keeping
Google is very secretive about everything. Don't expect them to share
information.
Regards,
Nancy Kramer
Webmaster http://www.americandreamcars.com
Free Color Picture Ads for Collector Cars
One of the Ten Best Places To Buy or Sell a Collector Car on the Web
At 11:22 PM 10/30/2004, n3td3v
On Sun, 31 Oct 2004 03:05:09 -0500, Nancy Kramer
[EMAIL PROTECTED] wrote:
Google is very secretive about everything. Don't expect them to share
information.
Regards,
Nancy Kramer
Webmaster http://www.americandreamcars.com
Free Color Picture Ads for Collector Cars
One of the Ten Best
A security hole in GMail has been found (an XSS vulnerability) which
allows access to user accounts without authentication. What makes the
exploit worse is the fact that changing passwords doesn't help. The full
details of the exploit haven't been disclosed
On Sat, 30 Oct 2004 13:47:30 +0200, Shoshannah Forbes [EMAIL PROTECTED] wrote:
A security hole in GMail has been found (an XSS vulnerability) which
allows access to user accounts without authentication. What makes the
exploit worse is the fact that changing passwords doesn't help. The full
Once again, a perfect example of the media misconstruing a security
vulnerability. XSS holes are not (as we all know) an immediate bypass for
any authentication. It can be used, with a bit of work, to steal
cookies/authentication data from unexpecting users, NOT as an immediate
break-into-accounts
there is a [x] box..
Don't ask for my password for 2 weeks.
this sets the users cookie. Gmail uses the cookie for authentication.
XSS holes are not (as we all know) an immediate bypass for
any authentication.
right
It can be used, with a bit of work, to steal
cookies/authentication data
Indeed, but surely the cookie information stored should be dependant on
the user's authentication details? It makes sense to use semi-dynamic
cookie information like this, making holes like this one a little more
hard to 'gain and keep' access.
there is a [x] box..
Don't ask for my password
I feel sorry for all the security pros outside of gmail and google, so
I say the below on behalf of them...
Should the general public be expecting a disclosure of the
vulnerability to security mailing lists once a solution has been
implemented to patch the hole, so other web-based services are