Today I wrote my first blog entry on this site and I don’t think it could have been any bigger. It is going to be hard to top that one, but I also learned a few things:
- That you can actually contact Google if you think there is a security problem see here
- Responsible disclosure – it probably wasn’t best to go down the full disclosure route
The good news is that after speaking with the security team at Google they are fixing the vulnerability and are going to revert any changes that have been made by utilising this exploit when they are done. So all in all, poor method of disclosure but it got exactly the desired result.
{ 8 comments… read them below or add one }
Difficult one, if you hadn’t made the full disclosure, you probably wouldn’t have the same visibility as you did.
LOL Great news that it’s now resolved. Thanks for sharing. So, no fruit basket from Google? ;(
hey, just wanted to say: you are a very honest person. there are people out there (i know some of them .. especially in the pills, poker, travel, price comparison and insurance verticals) which would have paid thousands and thousands of good cash for this information, even if it would just work for a few weeks. search is big businesses – and this bug was a weapon of mass destruction.
So they’d BETTER put you in here!
http://www.google.com/intl/en/about/corporate/company/halloffame.html
it quiet old trick anyway ..
maybe Google should HIRE your then !!!??? … One man who allmost brought down MIGHTY GOOGLE in 3 lines of code .. )) xa xa xa
You would be amazed how easy it is to talk to Google employees.
Great find though
Thanks for you awsome display of integrity, many people would have cause untold damage to honest working website owners.
Good job James!!