Google Says Thank You
Some of you might have seen that there was something going on with 40+ security vulnerabilities on YouTube and an ultimatum issued by me. Well, that is correct. Now let me explain what happened.
A couple of months ago I discovered several security holes on YouTube, what I have already mentioned earlier on my blog. Apparently YouTube didn't respond to my reports and continued adding new features with new critical holes. The result after a few weeks was indeed around about 40 or even more XSS vulnerabilities on a Website acquired by Google with hundreds of thousands of users each day.
I've been in the security industry for quite some time now, long enough to be able to assess the possible consequences and the likelyness of a severe attack on such a site. Over time, especially Social Networking sites will definitely become a favored target for Web Worms that might even propagate on more than one site. What happened on MySpace back in 2005 was in fact just an idea of what could happen if we would be faced with an XSS based Warhol Worm. Yeah, Samy proved that this is not too far of base and I know that other security researchers agree with me on this matter.
So in case you are still wondering, I choosed the path of responsible disclosure instead of just releasing all vulnerabilities to the public because I don't want something like that to happen.
A few days after I issued the ultimatum, Google Security contacted me and we could successfully fix all known vulnerabilities. I have also talked with Hunter Walk who is Product Manager at YouTube and suggested him to set up a security response team at YouTube to make sure that issues like these are better routed in the future. He promised me to take care of that.
I appreciate this because I think that when a company has a well working security response team and credits reports appropriately, researchers will be way more motivated to report what they have found.
The Google Security Team is already doing that and publicly thanks me on http://www.google.com/corporate/security.html. Additionally they sent me a Google t-shirt, which is really cool ;)
I think they have learned their lesson from all the noise.
10 Comments:
Great stuff Christian! But ... you're still under valued by the google people. 1 line on a 'thank you' page noone ever gets to see and a T-shirt ...? Man, should those billion dollar boys be ashamed! 40 leaks should be granted a lifelong supply of shirts at least (OK, maybe just 40). Just kidding, you should be offered a job instantly. Nothing more, nothing less.
Why? He didn't apply for one.
Did they have an explanation for why they failed to respond to your earlier attempts to notify them?
I kinda agree, although i think the fact that they were thankful for him bringing it to their attention and it looks like they accepted responsibility and didn't try to deny it or anything.
Also, soon when someone Google's christ1an's full name him will be somewhere near the top of the results ;)
Congrats Christian!
very good work.
Respect Chris!
Really nice to have people around who are not just looking for sensational site crashes but are really looking towards a safer and more valuable and secure and reliable internet.
Great job.
>> www.cosmiq.nl
No, actually they did not tell me why they didn't respond earlier. Anyway, I am happy that everything got fixed so fast.
Thank you all.
Wow, you're a star now %) You really deserve a "better thanks" from them, smth. like thank you for making the internet safer, take the keys for your new Porche %)
Like this they will stimulate more good guys to find and report bugs before bad guys will find them and use for some black things..
Are the vulnerabilities fixed, can we see where was the bugs ? (just curious..)
hmm Christian,
Google escaped from others. good work buddy
Google doesn't thank RSnake yet again: http://ha.ckers.org/blog/20061010/google-doesnt-thank-rsnake/
sweet, good stuff dude
Post a Comment