You may have noticed it's been a while since I posted anything here.… - Alierak
You may have noticed it's been a while since I posted anything here. There's a reason for that. In February I got busy participating in the Livejournal XSS Contest
It bugs me that winners of the contest aren't publicly announced or credited, so it's not much of a contest. It also bugs me that I submitted four additional XSS vulnerabilities, three of which were never acknowledged and none of which have been fixed afaik. I don't think I ever received a fourth permanent account, either, and theoretically I might be due a total of seven. To "submit" a vulnerability, you send private email to Brad. Yeah. I suspect he puts them in the security queue in RT, but there's no way to check. Meanwhile permanent accounts have been losing value through LJ changes such as introducing ads, giving away paid features to ad-sponsored users, etc. So anyway, my trust in LJ hasn't been at its highest levels.
But given that my friend xb95
is going to be starting to work on LJ again, I figure it's probably all going to be okay. Now, what should I do with that half-formed post about my experience with the LJ XSS contest? Is four months enough to resort to public full disclosure, and do I dare toy with the ToS?
How should alierak describe LJ XSS vulnerabilities that have been fixed?
in full detail
To whom should alierak describe LJ XSS vulnerabilities that have been fixed?
How should alierak describe LJ XSS vulnerabilities that have not been fixed?
To whom should alierak describe LJ XSS vulnerabilities that have not been fixed?
(Yup, this poll was brought to you by my upgraded account)
Tags: lj, toys
|Date:||July 18th, 2006 11:11 pm (UTC)|| |
You know, my life has been too full of ethical calls lately for me volunteer to participate in another -- those neurons are tired -- so I'll decline. But I wanted to say "hi!" and let you know I'm still reading. How are things going?
|Date:||July 19th, 2006 07:37 am (UTC)|| |
Oh well. Good and bad, can't really talk about it yet. I'm about to have to uncork a bunch of long-repressed social behaviors in order to make a life for myself here, meanwhile I can feel my brain trying to recoil in horror and show me how good it is at solving math problems instead.
I abstained on question three. I'd be interested in details; I'd suggest flocking them to be safe; but use your best judgement on how much detail to give out on unfixed, existing issues.
|Date:||July 19th, 2006 01:27 am (UTC)|| |
I'm abstaining because of obvious bias! :D
Brad ran that contest rather .. well, retarded-ly. Or whatever the word for that would be. There was no way he'd ever be responsible enough for making sure everything got handled. There's also no way he'd ever get them moved into RT (I doubt they're in there - I don't see any high priority security fixes anyway).
I'm not back on LJ yet (and won't be for another 6-8 weeks, at least), but I'd be happy to take a look at the outstanding issues. I still have commit access (and make use of it!) so...
|Date:||July 19th, 2006 08:18 am (UTC)|| |
On second glance, it appears he called it a "challenge", not a contest, so I may have been operating under invalid assumptions in the first place.
This all appears to have happened well after the deployment of RT, for example one of the fixed bugs was ticket #815
. I suspect the unfixed bugs would be in the neighborhood of #1100
+/- 30, assuming they were all previously unreported. I don't think he'd have marked them high-priority, given the relative obscurity of some browsers involved.
My goal isn't to force you to fix the bugs, and given the trend of the poll I don't think I'll disclose them publicly anyway. Rather, it's to get that particular story told, so I'll feel like moving on with the narrative of my journal, such as it is.
I haven't read the ToS, so I don't really know what the rules are, but here's what I answered, in order: "in full detail", "everyone", "in full detail", "friends only".
The reason for the first and second is that giving full disclosure on a bug that's fixed gives everyone the chance to study it and learn from the mistakes, but it's still "safe" because no one can run out and use it to steal someone's journal. If by "fixed" you only mean "fixed on the test site, but still not fixed on the main site", then I'd say don't disclose it to everyone... maybe just friends. I answered "everyone" under the assumption that you WANT to disclose your experience and the bugs you found to everyone... if you don't, you're not under any ethical obligation to do so.
As to the second, I think you gave Brad long enough to check into the security holes and fix them, or at least to acknowledge them all. Of course, if he really did misplace them, someone might take your reports and resubmit them and try to take credit... well, your call on that. As to what to disclose and to whom, I think full disclosure is again good because it allows us to learn from the mistakes. I don't think necessarily disclosing it to the entire world is a good idea, because it could turn into a recipe for a script-kiddie. Posting friends-only doesn't necessarily mean someone won't republish what you write and make it public, but I think it's a happy medium between full disclosure to everyone and not disclosing anything.
Of course, if you don't want to share anything, don't, but I'd definitely be interested to see what you write.
|Date:||July 19th, 2006 08:32 am (UTC)|| |
Thanks. I'm definitely leaning in the direction of your answers. It is reassuring that you are one of the few people on my flist actually qualified to give advice on security research.
As for things being fixed only on the test site, it's (imho) unethical to discover that, because you'd have had to try an exploit on the main site, which was not in the scope of the challenge. Permission was granted to bang on only the test server, afaik. But I think I can assume security bugfixes were applied to the test site and then to the main site within a day of the changes having appeared in public CVS / SVN. The bugs I'm calling "fixed" ought to be unambiguously dead at this point.
Oh, right, good point. In that case, I think you're right, you've got every reason to believe that "fixed" means fixed.