HackerTrans
トップ新着トレンドコメント過去質問紹介求人

nbpoole

no profile record

コメント

nbpoole
·15 年前·議論
So I take it you're not a fan of http://www.gamefaqs.com ? ;-)
nbpoole
·15 年前·議論
I sincerely hope that's not what happens here. I would hate to see someone lose their job over what seems to have been a temporary lapse in judgement.
nbpoole
·15 年前·議論
Putting the legal issues aside? It doesn't matter either way: security vulnerabilities trump copycats (in my opinion).

Publicly releasing details of an XSS vulnerability on a third party's site has much bigger ramifications than a copycat site. Plenty of websites deal with copycats all the time: they're frustrating, but they're not necessarily overly threatening. On the other hand, a 0 day could compromise the security of user information. In certain fields, that could completely destroy your business.
nbpoole
·15 年前·議論
I disagree.

1. There are plenty of proof of concepts you can develop that don't destroy the page.

2. The Quora engineers in question didn't enter stuff into a textbox and leave it alone. They went and publicly disclosed a cross-site scripting vulnerability in a competitor's website.

Edit: Ben deleted his "answer" which disclosed the XSS. However, the comments on the answer are still accessible (for now) if anyone is curious about them: http://www.quora.com/Is-Qato-a-serious-Quora-clone-attempt/a...

Edit 2: Rick Ross posted a comment there I think is worth highlighting.

"In a way, we're grateful to these guys (Ben and Albert) for helping us close a hole. Their method of publicly vandalizing a test site and bragging about it is another matter. A simple email would have sufficed."
nbpoole
·15 年前·議論
The full quote from Rick Ross is "I am grateful that Ben Newman and Albert Sheu of Quora have identified a (now fixed) XSS vulnerability in our test site, but I am surprised that Quora policy permits developers to engage so openly in vandalizing other people's websites." which is slightly nicer than that article makes it sound.

Personally, I think the Quora engineers involved made some poor decisions. Anyone who looks for security vulnerabilities on websites they don't own or control is on shaky legal footing (there are exceptions: Google, Mozilla, Facebook, and a few other companies provide systems for the responsible disclosure of vulnerabilities). However, publicly disclosing vulnerabilities on a competitor's website (and making your proof of concept mildly malicious) is never going to work out well for anyone: it makes your company look like a bully and exposes you to potential legal ramifications.