I would just add that the source of my information was Dirson.
Anyway, minutes after I read this article, I try to access to the same kind of pages on other google subdomains. I got nothing... :-/ |
<< This security hole, which apparently was pretty serious... >>
Apparently it wasn't because you couldn't connect to the database if you weren't on a local machine from Google. |
Ah yes, I read something about this on Googling Google:
http://blogs.zdnet.com/Google/?p=596 |
> << This security hole, which apparently was pretty serious... >>
>
> Apparently it wasn't because you couldn't connect
> to the database if you weren't on a local machine
> from Google.
That's not what I meant – what I mean by "serious" is that people could get hold of many internal Google files (I have them on my hard disk right now, and they're not the kind of stuff Google would want to disclose in usual circumstances – in other words, Google internal [non-user] data leaked out). For instance, a not-so-serious Google security issue would be an HTML-but-no-JS injection bug in a submit form (just as an example, though I did find one recently). A good indicator how serious Google took this one is the rather high speed in which they plugged the hole. A disastrous* Google security issue on the other hand – which this wasn't – would be when Google user data leaks out...
*All terminology subject to personal opinion of course... |
> Ah yes, I read something about this on Googling Google:
... and they point to another recent hole, a (now fixed) XSS vulnerability... which as we know can expose your Google account (if you enter the malicious website) and then e.g. potentially your emails...
http://www.0x000000.com/?i=323 |
Seriously, Google should think about rewarding people who find security holes and notify them without posting the details publicly before they've been fixed... |
"Seriously, Google should think about rewarding people who find security holes and notify them without posting the details publicly before they've been fixed..."
I would have thought a better solution would be to employ crackers (note the definition of hacking: to code for fun) to constant attack and attempt to gain access to Google's servers and when they do they can report it internally.
I've heard of similar setups at other companies and I would have thought that Google would have such a system in place. |
Martin, they may already have such as system in place, but "ordinary people" continue to find these security holes. Wouldn't it be fair to reward these users?
If I find something wrong with a food product and I return it to the manufacturer, they would usually send me a voucher as a gesture of thanks.
Couldn't Google do something similar? Or would that just cause a stampede to find more security holes...? |
DiskMap$Entry.class
I saw two java class files. later i decomplied it using jad . i think these files are the examples for Google Development Kit for AJAX.
package com.google.urlremover;
import java.io.Serializable;
// Referenced classes of package com.google.urlremover:
// DiskMap
public static class DiskMap$Entry
implements Serializable, Comparable
{
public int compareTo(Object obj)
{
DiskMap$Entry diskmap$entry = (DiskMap$Entry)obj;
return key.compareTo(diskmap$entry.key);
}
public Comparable key;
public Object value;
public DiskMap$Entry()
{
}
}
]
the other file publisher.class which has some inner class
http://ssuresh83.googlepages.com/Publisher.jad |
