Amazon, MSN vulns and.. Yes, we know! Most sites have vulnerabilities

in this post i link to a blog entry by a guy (dcrab) who does some show and tell about amazon and msn. you gotta love full disclosure. full disclosure and why bugtraq is here is what i talk about. just skip my text to the end for that information.

so, yes, we know. thanks. yes, we know. most sites have vulnerabilities. most sites don’t fix them. all you have to do is pick one arbitrarily and find them after a second to a few minutes of search.

recently i exchanged some words on exactly this subject with scott chasin (started bugtraq back in `93). this is why full disclosure was originally done and part of why bugtraq was originally created. people don’t often remember why, and today attack the concept of full disclosure and say that it is irresponsible to disclose vulnerabilities that way.

on some levels, i agree, but nothing is black and white even if i often think it is.

some companies take security seriously. reporting to them works. some companies (at best) ignore you. back then most companies ignored. back then full disclosure was the silver bullet and the solution. i recently had the chance to discuss this with aleph1 as well. he who strongly believes in full disclosure agrees it’s a different world now.

today, the same situation is repeated with new fields. game companies, critical infrastructure (such as with scada systems), etc. who now discover the world of vulnerability research don’t know how to deal with it. it is interesting to watch how the world of security repeats its history.

when someone releases the information it is a fact that everyone goes and attacks the site or builds a poc. when someone provides only with the name of the site or skeleton details of vulnerabilities… everyone goes and looks for what they know is there.

back a few months ago a kiddie tried to sell an excel vulnerability on fd. now, i am not sure if this is completely related but a few months after that microsoft released several patches for excel. this month we have had excel 0days.

in the world of web security the situation is more extreme. release the bug? everyone will exploit it. release the site name? everyone will find a bug there today.

the point is, though, that these vulnerabilities have always been there, and they have been exploited before. we just didn’t know about them. and people are surprised when corporations and sites are broken into and their personal data is stolen?

here is a blog post of a guy who got sick of reporting vulnerabilities, and after years of trying (look at the dates), finally made a small release about msn and amazon (although other interesting sites are listed there).

noam rathaus recently wrote about a similar issue (“from flaw to exploit”):

i contacted both amazon and ms, but this is out there and once it’s out there – it’s, well; out there. full disclosure, y’know.

gadi evron,

  • digi7al64

    I don’t think really comes as any suprise to anybody in the IT security industry. Given enough time you can always find a hole in almost any system that requires any significant user input.

    However in saying that whenever you notify a company of an expoilt they generally tend to shift the blame for the expoilt to the person reporting it rather the IT staff that created it.

    Otherwise you are replied to with the simple text “We are currently investigating the issue” with no thanks given.

    Anyways here is similar story with (now fixed due to the digg effect) XSS POC for AOL, Citibank, MIT, Wells Fargo and the IRS.

  • Pingback: SecuriTeam Blogs » XSS Everywhere - Another Full Disclosure Run