

How a tweet about a XSS bug within Google+ leads to XSS within InformationWeek - nilsjuenemann
http://www.nilsjuenemann.de/2012/04/ethiopia-gets-new-school-thanks-to-xss.html?hn

======
fjarlq
Great job, Nils. I didn't know Google doubles the reward if it goes to
charity.

I wonder why Microsoft doesn't have a similar program. Hotmail just got hacked
pretty bad[1], and the hackers were selling the vulnerability for chump change
in forums[2]. What if they had an incentive to report it to Microsoft instead?

[1] <http://www.vulnerability-lab.com/get_content.php?id=529>

[2] [http://www.whitec0de.com/new-hotmail-exploit-can-get-any-
hot...](http://www.whitec0de.com/new-hotmail-exploit-can-get-any-hotmail-
email-account-hacked-for-just-20/)

~~~
nilsjuenemann
There are some rumours that other big players will start a bug bounty program
soon. So I won't be surprised if Microsoft will pay for vulnerabilities too.

------
citricsquid
A slight tangent, but I'm curious, can Google claim the donation is from
Google for tax purposes even though it's under the instruction of Nils instead
of him receiving cash? If so, is that why they offer to double it?

~~~
thisishugo
Google makes the donation, so yes they get the tax benefits. However, as it
still means twice as much money going to charity I don't know why anyone would
have a problem with that.

~~~
jrockway
There's some cultural ... thing ... that makes it seem bad to donate to
charity if you have some other motive, like ego or a tax deduction. I don't
really understand why, but a lot of people feel that way.

xkcd's take: <http://xkcd.com/871/>

~~~
fjarlq
It suppose it takes time and maturity to realize that people have multiple
competing goals, and are not perfectly selfless.

------
mladenkovacevic
Great work and your reward went to a good cause. World needs more of you.

------
alain94040
I'm always curious as to why such an obvious bug couldn't be detected
automatically. Some piece of code is printing a user name without sanitizing
it. Fixing that particular bug is easy, but the real challenge is that the
existence of the bug proves that your verification methodology has holes.

~~~
ma2rten
That is a good question, but I guess the answer is that XSS bugs are
particularly hard to catch. Static code analysis can't know if a particular
field you use in your templates (or wherever it is that your html gets
rendered) is user supplied or not. You can try to catch it using manual code
reviews, explicitly marking code that should not be escaped, etc., but it's
easy to loose track of it. You also try and have a number of users with names
like this in your testing environment, but is not fail-save either.

------
chris_wot
Nice work InformationWeek. There's nothing like reporting on a story about XSS
issues and finding that you have the same issue.

Of course, InformationWeek might like to actually _fix_ that bug. Sometime
soon?

------
jenius
This is so awesome. White hat security not only to make the internet more
secure, but to make the world a better place. Hats off to you man, this is
really fantastic.

------
vizzah
I wonder what are implications of having XSS on .google.com these days? All
auth cookies are likely to be http-only, so probably not a serious
vulnerability?

~~~
nilsjuenemann
<http://lcamtuf.coredump.cx/postxss/>

It's a good writeup about the post-xss world and what kind of attacks are
still exist.

------
tectonic
I wrote a blog post about how I found a number of bugs in Gmail.

[http://blog.andrewcantino.com/blog/2011/12/14/hacking-
google...](http://blog.andrewcantino.com/blog/2011/12/14/hacking-google-for-
fun-and-profit/)

------
VMG
the InformationWeek XSS is still there:

[http://www.informationweek.com/influencer/security/616a45777...](http://www.informationweek.com/influencer/security/616a45777252657276506c6830533652356a525737513d3d)

