Hacker Newsnew | comments | show | ask | jobs | submitlogin
How a tweet about a XSS bug within Google+ leads to XSS within InformationWeek (nilsjuenemann.de)
110 points by nilsjuenemann 805 days ago | comments


fjarlq 805 days ago | link

Great job, Nils. I didn't know Google doubles the reward if it goes to charity.

I wonder why Microsoft doesn't have a similar program. Hotmail just got hacked pretty bad[1], and the hackers were selling the vulnerability for chump change in forums[2]. What if they had an incentive to report it to Microsoft instead?

[1] http://www.vulnerability-lab.com/get_content.php?id=529

[2] http://www.whitec0de.com/new-hotmail-exploit-can-get-any-hot...

-----

nilsjuenemann 805 days ago | link

There are some rumours that other big players will start a bug bounty program soon. So I won't be surprised if Microsoft will pay for vulnerabilities too.

-----

citricsquid 805 days ago | link

A slight tangent, but I'm curious, can Google claim the donation is from Google for tax purposes even though it's under the instruction of Nils instead of him receiving cash? If so, is that why they offer to double it?

-----

justinschuh 805 days ago | link

Taxes had nothing to do with it. Early on, one of the Chrome VRP reporters asked that we donate his bounty to the International Red Cross. We all felt his generosity deserved some extra recognition, so we decided to top off the reward, and do the same in the future for approved charities. We also decided that unclaimed rewards would be paid to the International Red Cross.

That's pretty much the whole story. It was a quick email thread between a few people in Chrome Security and Google Security.

-----

ars 805 days ago | link

If Nils wanted to claim it as a deduction, first he would have to claim it as income and pay gift tax.

Not worth it for him.

Google could deduct it either way - either as a donation or as a business expense.

The rules for paying tax are different for corporations (which incidentally is one of the reasons some self employed programmers incorporate).

-----

thisishugo 805 days ago | link

Google makes the donation, so yes they get the tax benefits. However, as it still means twice as much money going to charity I don't know why anyone would have a problem with that.

-----

jrockway 805 days ago | link

There's some cultural ... thing ... that makes it seem bad to donate to charity if you have some other motive, like ego or a tax deduction. I don't really understand why, but a lot of people feel that way.

xkcd's take: http://xkcd.com/871/

-----

fjarlq 805 days ago | link

It suppose it takes time and maturity to realize that people have multiple competing goals, and are not perfectly selfless.

-----

nilsjuenemann 805 days ago | link

Yes, that's true. Google made the donation and I chose the donee.

-----

URSpider94 804 days ago | link

Google can take a deduction for the full amount, whether it's a charitable donation (in which case they can deduct it as a charitable donation) or a payment (in which case it reduces the profit of the enterprise, on which tax is calculated).

-----

ilikejam 805 days ago | link

Can someone clarify the whole charity tax deduction thing? Unless tax is at >100% (or 50%?), surely there's no gain from doubling donations to benefit from tax deduction? Or am I not understanding something here?

-----

mladenkovacevic 805 days ago | link

Great work and your reward went to a good cause. World needs more of you.

-----

alain94040 805 days ago | link

I'm always curious as to why such an obvious bug couldn't be detected automatically. Some piece of code is printing a user name without sanitizing it. Fixing that particular bug is easy, but the real challenge is that the existence of the bug proves that your verification methodology has holes.

-----

btilly 805 days ago | link

http://en.wikipedia.org/wiki/Taint_checking provides a way to catch this type of bug. But it is not implemented in most languages.

You could also do clever things with type systems in a language with sufficiently complex type checking, but nobody seems to do that either.

Unfortunately our industry rewards getting stuff done, and not getting stuff done right. (PHP being an extreme example.) So this state of affairs is likely to remain.

-----

ma2rten 805 days ago | link

That is a good question, but I guess the answer is that XSS bugs are particularly hard to catch. Static code analysis can't know if a particular field you use in your templates (or wherever it is that your html gets rendered) is user supplied or not. You can try to catch it using manual code reviews, explicitly marking code that should not be escaped, etc., but it's easy to loose track of it. You also try and have a number of users with names like this in your testing environment, but is not fail-save either.

-----

chris_wot 805 days ago | link

Nice work InformationWeek. There's nothing like reporting on a story about XSS issues and finding that you have the same issue.

Of course, InformationWeek might like to actually fix that bug. Sometime soon?

-----

jenius 805 days ago | link

This is so awesome. White hat security not only to make the internet more secure, but to make the world a better place. Hats off to you man, this is really fantastic.

-----

vizzah 805 days ago | link

I wonder what are implications of having XSS on .google.com these days? All auth cookies are likely to be http-only, so probably not a serious vulnerability?

-----

nilsjuenemann 805 days ago | link

http://lcamtuf.coredump.cx/postxss/

It's a good writeup about the post-xss world and what kind of attacks are still exist.

-----

tectonic 805 days ago | link

I wrote a blog post about how I found a number of bugs in Gmail.

http://blog.andrewcantino.com/blog/2011/12/14/hacking-google...

-----

VMG 804 days ago | link

the InformationWeek XSS is still there:

http://www.informationweek.com/influencer/security/616a45777...

-----




Guidelines | FAQ | Lists | Bookmarklet | DMCA | News News | Bugs and Feature Requests | Y Combinator | Apply | Library | Contact

Search: