Alierak (alierak) wrote,
Alierak
alierak

You may have noticed it's been a while since I posted anything here. There's a reason for that. In February I got busy participating in the Livejournal XSS Contest, where I learned a few javascript / CSS tricks and won three permanent accounts for my trouble. I keep wondering if I should finish writing up that experience, and how much detail to go into, so I've put off posting about anything else.

It bugs me that winners of the contest aren't publicly announced or credited, so it's not much of a contest. It also bugs me that I submitted four additional XSS vulnerabilities, three of which were never acknowledged and none of which have been fixed afaik. I don't think I ever received a fourth permanent account, either, and theoretically I might be due a total of seven. To "submit" a vulnerability, you send private email to Brad. Yeah. I suspect he puts them in the security queue in RT, but there's no way to check. Meanwhile permanent accounts have been losing value through LJ changes such as introducing ads, giving away paid features to ad-sponsored users, etc. So anyway, my trust in LJ hasn't been at its highest levels.

But given that my friend xb95 is going to be starting to work on LJ again, I figure it's probably all going to be okay. Now, what should I do with that half-formed post about my experience with the LJ XSS contest? Is four months enough to resort to public full disclosure, and do I dare toy with the ToS?

Poll #772865 LJ XSS disclosure

How should alierak describe LJ XSS vulnerabilities that have been fixed?

in full detail
13(100.0%)
in vague terms
0(0.0%)
not at all
0(0.0%)

To whom should alierak describe LJ XSS vulnerabilities that have been fixed?

everyone
8(61.5%)
friends only
5(38.5%)
nobody
0(0.0%)

How should alierak describe LJ XSS vulnerabilities that have not been fixed?

in full detail
6(54.5%)
in vague terms
5(45.5%)
not at all
0(0.0%)

To whom should alierak describe LJ XSS vulnerabilities that have not been fixed?

everyone
2(15.4%)
friends only
11(84.6%)
nobody
0(0.0%)


(Yup, this poll was brought to you by my upgraded account)
Tags: lj, toys
Subscribe
  • Post a new comment

    Error

    default userpic

    Your reply will be screened

    When you submit the form an invisible reCAPTCHA check will be performed.
    You must follow the Privacy Policy and Google Terms of use.
  • 8 comments