Cenzic 232 Patent
Paid Advertising
sla.ckers.org is
ha.ckers sla.cking
Sla.ckers.org
Where you should disclose your vulnerabilities. Go read RFPolicy if you want to do responsible disclosure, and go here for when all else fails. 
Go to Topic: PreviousNext
Go to: Forum ListMessage ListNew TopicSearchLog In
Pages: 12Next
Current Page: 1 of 2
Message to Google / YouTube
Posted by: christ1an
Date: June 16, 2007 09:01AM

I am posting this because I know that YouTube / Google developers read here. Since you guys have shown me that you do not find it necessary to read your e-mails, I am feeling impelled to contact you this way.

Just like other major social networking sites (or even more) YouTube is responsible for the privacy and security of hundreds of millions of users. However presently this security is not provided in the least due to a continuously increasing amount of severe security vulnerabilities on YouTube coming with each site update.

Having security holes is one thing but not responding to vulnerability reports is totally unacceptable and certainly not conform to your commitment to data security.

Taking that into account I'm going to have one last try and give you two weeks from now to contact me. If you don't, I am obliged to disclose all vulnerabilties in public.

Regards,
- http://christ1an.blogspot.com

_______________________
[[url=http://php-ids.org]php-ids.org[/url]] Web Application Security 2.0

Options: ReplyQuote
Re: Message to Google / YouTube
Posted by: tr3ndkill
Date: June 16, 2007 09:22AM

fuck it bruh disclose em anyways. you dont owe them anything

Options: ReplyQuote
Re: Message to Google / YouTube
Posted by: Chuks
Date: June 16, 2007 11:42AM

I would love to see this Christian, i saw some in hackyou too. Hehe pretty good.

Options: ReplyQuote
Re: Message to Google / YouTube
Posted by: seventh
Date: June 17, 2007 12:51AM

I agree about the disclosure. It has happened me many times before when I warn someone his site has problems in 80% of times there is no back message from them.

Two weeks is too much.
Make this public and go.. why so much consideration with them?

Options: ReplyQuote
Re: Message to Google / YouTube
Posted by: christ1an
Date: June 17, 2007 06:21AM

Because it is worth a consideration to disclose around 50 YouTube vulnerabilities to the public. (point)

It's all in their hands now. If they respond, fine; but if they don't they're going to bear the consequences.

I owe them nothing at all. However I as a security researcher with a sense for responsibility owe the public to protect their data up to a certain degree.

Regards,
- http://christ1an.blogspot.com

_______________________
[[url=http://php-ids.org]php-ids.org[/url]] Web Application Security 2.0

Options: ReplyQuote
Re: Message to Google / YouTube
Posted by: Anonymous User
Date: June 17, 2007 07:01AM

I think two weeks is a good period and I support this way of vulnerability disclosure if mails aren't answered.

I've seen some of christ1ans vulns and I've found some by myself (it's not very hard after the relaunch and yes there are 50+) and I can say it's hard to believe that those issues are ignored - most are LHF, fixable in a minute and speak for blowzy application development.

Also I think this thread is not about sharing cool links with popping alerts and stuff - it's about creating awareness and spreading knowledge as (in my eyes) the whole forum is - even if some guys have obviously seen too much star wars recently and aren't able to get the sith thing out of their system...

Greetings,
.mario

Options: ReplyQuote
Re: Message to Google / YouTube
Posted by: Ivan
Date: June 17, 2007 09:56AM

I had some alike situation few days before with local search engine. I contact them two times but there is no reply, after ~three weeks I disclose vulns in public.

I`m not disclose all vulns, but I say that there is more ... and again, there is no reply from them. On some local forum they say that vulns are not critical and that thay know for that, it is very arrogantly from them ...

http://www.security-net.biz/

Options: ReplyQuote
Re: Message to Google / YouTube
Posted by: rsnake
Date: June 17, 2007 04:05PM

50? Wow... If they do respond are you going to release them after they fix them at least?

- RSnake
Gotta love it. http://ha.ckers.org

Options: ReplyQuote
Re: Message to Google / YouTube
Posted by: christ1an
Date: June 17, 2007 05:06PM

RSnake: How shall I release fixed vulnerabilities?

The amount of XSS only is somewhere around 50 yes. Some reflective XSS, some persistent XSS, some dump filters and so forth.

If YouTube doesn't contact me, I'll start a DOYB aka. Day Of YouTube Bugs where I release one or more vulnerbilities each hour.

Regards,
- http://christ1an.blogspot.com

_______________________
[[url=http://php-ids.org]php-ids.org[/url]] Web Application Security 2.0

Options: ReplyQuote
Re: Message to Google / YouTube
Posted by: rsnake
Date: June 17, 2007 06:50PM

That would get people's attention, yah. Are you going to do it HP bug of the week style and do it starting Friday night just to screw up a bunch of developer's weekend?

- RSnake
Gotta love it. http://ha.ckers.org

Options: ReplyQuote
Re: Message to Google / YouTube
Posted by: Anonymous User
Date: June 18, 2007 03:02AM

ah, come on - not friday night! my developer soul bleeds just reading that ;)

Options: ReplyQuote
Re: Message to Google / YouTube
Posted by: Anonymous User
Date: June 18, 2007 06:56AM

Haha great ideas, let's rock!

Options: ReplyQuote
Re: Message to Google / YouTube
Posted by: christ1an
Date: June 18, 2007 07:35AM

Well, we'll see then. I don't want to do that, I instantly hope that I'll find a message in my mailbox somewhen during the next days.

Even by being forced to contact them publicly this way I'm doing something I don't like - bringing scammers attention on YouTube who could possibly hack them.

So again, YouTube, I do not intend to harm either you or the reputation of your company. In fact, I want to save it and in my judgement this is the only remaining way to make that happen.

Regards,
- http://christ1an.blogspot.com

_______________________
[[url=http://php-ids.org]php-ids.org[/url]] Web Application Security 2.0



Edited 1 time(s). Last edit at 06/18/2007 07:37AM by christ1an.

Options: ReplyQuote
Re: Message to Google / YouTube
Posted by: Anonymous User
Date: June 19, 2007 06:17PM

I hope they respond for there own sake, or else I have enough time to code a Youtube XSS Worm and turn it loose.
And that isn't a threat but a certainty, because I need a stable platform to release a concept worm I created which is capable of spawning an entire network,
stealing every cookie, login credential, and aiming at users trying to install keyloggers with some Javascript heap spraying.

Nope. not a joke, time will tell.



Edited 2 time(s). Last edit at 06/19/2007 06:19PM by Ronald.

Options: ReplyQuote
Re: Message to Google / YouTube
Posted by: christ1an
Date: June 20, 2007 10:25AM

I've been contacted from Google Security and YouTube.

Regards,
- http://christ1an.blogspot.com

_______________________
[[url=http://php-ids.org]php-ids.org[/url]] Web Application Security 2.0

Options: ReplyQuote
Re: Message to Google / YouTube
Posted by: Anonymous User
Date: June 20, 2007 11:02AM

Ah a pity! :)

Options: ReplyQuote
Re: Message to Google / YouTube
Posted by: christ1an
Date: June 20, 2007 01:24PM

I have just sent a report to them.

However while preparing the PoCs I noticed that most vulnerabilities have recently been fixed. So I only listed a few, around about 10. Seems as if they've looked through the source during the last 48 hours.

I'm going to write a blog item about this once it's done.

Regards,
- http://christ1an.blogspot.com

_______________________
[[url=http://php-ids.org]php-ids.org[/url]] Web Application Security 2.0

Options: ReplyQuote
Re: Message to Google / YouTube
Posted by: Jib
Date: June 20, 2007 10:11PM

Well handled, christ1an.

I look forward to seeing the blog post.

[No sooner does man discover intelligence than he tries to involve it in his own stupidity.]
[Jaques Cousteau]



Edited 1 time(s). Last edit at 06/20/2007 10:11PM by Jib.

Options: ReplyQuote
Re: Message to Google / YouTube
Posted by: Martin
Date: June 21, 2007 06:28AM

Very responsibly handled - and glad to see that Google finally responded.

http://www.the-mice.co.uk/switch/ Switch/Twitch
http://code.google.com/p/dotnetids .NETIDS

Options: ReplyQuote
Re: Message to Google / YouTube
Posted by: Anonymous User
Date: June 21, 2007 08:37AM

Yah but kinda sad that it had to come this far.

IMHO full-disclosure would had made them act way much faster then they did now. because in the mean time that Christian was emailing and posting here, Google taking a look at it, thinking about it, doing nothing for a few months. giving other plenty of time to take a peek themselfs. This would never happened with full disclosure from the start, forcing them to shove it up their ass from day one. Lazy bastards, full disclosure is they only way to be responsible for everyone IMO.

Options: ReplyQuote
Re: Message to Google / YouTube
Posted by: christ1an
Date: June 23, 2007 06:26AM

Here's the blog item:
http://christ1an.blogspot.com/2007/06/google-says-thank-you.html

Regards,
- http://christ1an.blogspot.com

_______________________
[[url=http://php-ids.org]php-ids.org[/url]] Web Application Security 2.0

Options: ReplyQuote
Re: Message to Google / YouTube
Posted by: Mephisto
Date: June 23, 2007 09:31AM

So you go a thank you and a t-shirt...No stocks??!!

http://mephistosmind.blogspot.com



Edited 1 time(s). Last edit at 06/23/2007 09:32AM by Mephisto.

Options: ReplyQuote
Re: Message to Google / YouTube
Posted by: Anonymous User
Date: June 23, 2007 01:19PM

They probably where out of toiletpaper stocks Mephisto.

Options: ReplyQuote
Re: Message to Google / YouTube
Posted by: John
Date: June 23, 2007 03:53PM

Most of the time when I try to help sites, they never get around to returning emails.

At least I still try. I should just disclose them all.

Options: ReplyQuote
Re: Message to Google / YouTube
Posted by: ANELKAOS
Date: June 25, 2007 12:59PM

Hello Christian.

I don't think that this 48 XSS in youtube.com, majority known in private list, suppose a serious danger in this moment (only for stupid users...) To what directions you wrote? Try again with help [at} google {dot] com. They always answer to me in less than 24 hours.

Regards.

Options: ReplyQuote
Re: Message to Google / YouTube
Posted by: Anonymous User
Date: June 26, 2007 02:00AM

I don't understand you guys do this for free. Spend all your free time for nothing, and their programmers clap into their hands while you guys do all the work.

I'dd say Google should pay Christian a full salary of what programmers gets @ google for his support and help, but that's my opinion. In fact, the flaws he found are even intellectual property because every injection is different.

Even if Google would spend 0,000000000000000000000000000000000000000000000001% of their budget to spend on security researchers (who obviously do a better job) I think we'll all be living in a more secure place.

I mean common, isn't this at least a bit fair? it should be set as an example, a symbol.

Options: ReplyQuote
Re: Message to Google / YouTube
Posted by: Martin
Date: June 26, 2007 02:57AM

@Ronald: Problem is that this can be conceived as extortion - asking to be paid or threatening to release a vulnerability...

http://www.the-mice.co.uk/switch/ Switch/Twitch
http://code.google.com/p/dotnetids .NETIDS

Options: ReplyQuote
Re: Message to Google / YouTube
Posted by: Anonymous User
Date: June 26, 2007 03:04AM

So what?

Options: ReplyQuote
Re: Message to Google / YouTube
Posted by: Martin
Date: June 26, 2007 03:26AM

Well, I don't know where you live, but where I come from that's illegal

http://www.the-mice.co.uk/switch/ Switch/Twitch
http://code.google.com/p/dotnetids .NETIDS

Options: ReplyQuote
Re: Message to Google / YouTube
Posted by: hackathology
Date: June 26, 2007 04:14AM

Wow, bold move!!

http://hackathology.blogspot.com

Options: ReplyQuote
Pages: 12Next
Current Page: 1 of 2


Sorry, only registered users may post in this forum.