

Amazon packaging feedback cross-site scripting vulnerability - bitquark
https://bitquark.co.uk/blog/2013/07/03/amazon_packaging_feedback_xss

======
potatolicious
I've sometimes wondered if code I've worked on will ever make it onto HN.

This was not the preferred way ;)

Though in my defense, this code was written before I got there... But I'm
pretty sure I've been through this exact code afterwards and never found the
vulnerability.

~~~
bitquark
Nice to meet you! There's always one that slips through the net ;-)

------
joshfraser
I reported a different vulnerability to Amazon a few days ago. I've gotten a
case number, but haven't heard anything beyond that. It's nice to see their
timeline and know that they are responding and fixing stuff.

------
swang
I wonder why Amazon doesn't offer a bounty, even one that is a token amount.

~~~
UnoriginalGuy
People often whine more about a "token amount" more than they do a "thank you"
in my experience.

------
MysticFear
I would be curious if the author would have investigated further if he knew
for certain no monetary benefit would have been given by Amazon.

~~~
bitquark
Of course! I did know for certain there was no monetary benefit. A t-shirt
would have been nice, but I investigated for the fun of it.

