> So discover them. Roll in your piles of cash from those easy picking bounties. Prove your point.
Sure, I already did. I earned the second highest bounty for Fastmail back in 2019 for exactly this kind of exploit. Since then I've reported to dozens of programs (OpenSSL, ClamAV, SpamAssassin, ProtonMail, Hey, Missive, Yahoo Mail, Yandex, Spark, Trello, Missive, AWS, Google Chrome) and rolled in a few tidy piles.
I have also written various pieces of open-source software that would have detected and prevented four separate zero-days, affecting Microsoft (and almost every AV engine, browser, and zip parser) [1][2], Gmail [3], Apple Mail [4], and countless open-source email servers [5].
Which guideline does it go against? Can you name even one?
The Luddite "ooh this is scary" posts always do well on HN. People are allowed to disagree. When someone cites completely and utterly irrelevant authority on the topic, it just betrays that they're playing the crowd. Amazing, albeit sad, how well it works here.
> Please don't comment about the voting on comments. It never does any good, and it makes boring reading.
> Be kind. Don't be snarky. Have curious conversation; don't cross-examine. Please don't fulminate. Please don't sneer, including at the rest of the community.
> When disagreeing, please reply to the argument instead of calling names.
I'm not quite sure what flaws in attachment handling/zip bombs [literally one of the oldest and most rudimentary features] and another to do with UI encoding has to do with this post. Neither have anything to do with advanced HTML support.
Software has bugs, story at 11. Should they have banned attachments as too scary and new?
That is a completely orthogonal bit to claim authority and "win". And it will probably work on many (citations, even if wholly irrelevant -- as these are -- are a magic pixie dust on HN [1]). Weird.
100% of the time that someone claims something is easy money, their claim is, shall we say, "dubious". It's noisy bluster.
Your Fastmail bounty [2] is impressive and kudos, but again it looks like it has to do with Fastmail's implementation details to support offline use.
Sure, I already did. I earned the second highest bounty for Fastmail back in 2019 for exactly this kind of exploit. Since then I've reported to dozens of programs (OpenSSL, ClamAV, SpamAssassin, ProtonMail, Hey, Missive, Yahoo Mail, Yandex, Spark, Trello, Missive, AWS, Google Chrome) and rolled in a few tidy piles.
I have also written various pieces of open-source software that would have detected and prevented four separate zero-days, affecting Microsoft (and almost every AV engine, browser, and zip parser) [1][2], Gmail [3], Apple Mail [4], and countless open-source email servers [5].
Now it's your turn.
[1] https://github.com/ronomon/pure
[2] https://www.usenix.org/conference/woot19/presentation/fifiel...
[3] https://blog.cotten.io/ghost-emails-hacking-gmails-ux-to-hid...
[4] https://mikko-kenttala.medium.com/zero-click-vulnerability-i...
[5] https://snyk.io/blog/how-to-crash-an-email-server-with-a-sin...