Hacker News new | comments | show | ask | jobs | submit login
How a tweet about a XSS bug within Google+ leads to XSS within InformationWeek (nilsjuenemann.de)
111 points by nilsjuenemann on Apr 29, 2012 | hide | past | web | favorite | 21 comments

Great job, Nils. I didn't know Google doubles the reward if it goes to charity.

I wonder why Microsoft doesn't have a similar program. Hotmail just got hacked pretty bad[1], and the hackers were selling the vulnerability for chump change in forums[2]. What if they had an incentive to report it to Microsoft instead?

[1] http://www.vulnerability-lab.com/get_content.php?id=529

[2] http://www.whitec0de.com/new-hotmail-exploit-can-get-any-hot...

There are some rumours that other big players will start a bug bounty program soon. So I won't be surprised if Microsoft will pay for vulnerabilities too.

A slight tangent, but I'm curious, can Google claim the donation is from Google for tax purposes even though it's under the instruction of Nils instead of him receiving cash? If so, is that why they offer to double it?

Taxes had nothing to do with it. Early on, one of the Chrome VRP reporters asked that we donate his bounty to the International Red Cross. We all felt his generosity deserved some extra recognition, so we decided to top off the reward, and do the same in the future for approved charities. We also decided that unclaimed rewards would be paid to the International Red Cross.

That's pretty much the whole story. It was a quick email thread between a few people in Chrome Security and Google Security.

If Nils wanted to claim it as a deduction, first he would have to claim it as income and pay gift tax.

Not worth it for him.

Google could deduct it either way - either as a donation or as a business expense.

The rules for paying tax are different for corporations (which incidentally is one of the reasons some self employed programmers incorporate).

Google makes the donation, so yes they get the tax benefits. However, as it still means twice as much money going to charity I don't know why anyone would have a problem with that.

There's some cultural ... thing ... that makes it seem bad to donate to charity if you have some other motive, like ego or a tax deduction. I don't really understand why, but a lot of people feel that way.

xkcd's take: http://xkcd.com/871/

It suppose it takes time and maturity to realize that people have multiple competing goals, and are not perfectly selfless.

Yes, that's true. Google made the donation and I chose the donee.

Google can take a deduction for the full amount, whether it's a charitable donation (in which case they can deduct it as a charitable donation) or a payment (in which case it reduces the profit of the enterprise, on which tax is calculated).

Can someone clarify the whole charity tax deduction thing? Unless tax is at >100% (or 50%?), surely there's no gain from doubling donations to benefit from tax deduction? Or am I not understanding something here?

Great work and your reward went to a good cause. World needs more of you.

I'm always curious as to why such an obvious bug couldn't be detected automatically. Some piece of code is printing a user name without sanitizing it. Fixing that particular bug is easy, but the real challenge is that the existence of the bug proves that your verification methodology has holes.

That is a good question, but I guess the answer is that XSS bugs are particularly hard to catch. Static code analysis can't know if a particular field you use in your templates (or wherever it is that your html gets rendered) is user supplied or not. You can try to catch it using manual code reviews, explicitly marking code that should not be escaped, etc., but it's easy to loose track of it. You also try and have a number of users with names like this in your testing environment, but is not fail-save either.

http://en.wikipedia.org/wiki/Taint_checking provides a way to catch this type of bug. But it is not implemented in most languages.

You could also do clever things with type systems in a language with sufficiently complex type checking, but nobody seems to do that either.

Unfortunately our industry rewards getting stuff done, and not getting stuff done right. (PHP being an extreme example.) So this state of affairs is likely to remain.

Nice work InformationWeek. There's nothing like reporting on a story about XSS issues and finding that you have the same issue.

Of course, InformationWeek might like to actually fix that bug. Sometime soon?

This is so awesome. White hat security not only to make the internet more secure, but to make the world a better place. Hats off to you man, this is really fantastic.

I wonder what are implications of having XSS on .google.com these days? All auth cookies are likely to be http-only, so probably not a serious vulnerability?


It's a good writeup about the post-xss world and what kind of attacks are still exist.

I wrote a blog post about how I found a number of bugs in Gmail.


Guidelines | FAQ | Support | API | Security | Lists | Bookmarklet | Legal | Apply to YC | Contact