> Yep, but there must have been an API (at some level) for generating or
> processing the QuickInvite URL.  That was what I was suggesting might
> have been the issue.

So, it's hard for me to answer this question because I didn't see any POC, but 
1) it's not physically possible for private keys to be revealed in the 
interface as described to me and in which I've spent the last few days 
completely submerged, and 2) there's still the validation process which isn't 
simply bypassed with this URL.

I have to be cautious here in a couple of my answers, and I hope you appreciate 
why: as soon as I found out Symantec wasn't affected any more by this reseller, 
I found out who was. I have to responsibly disclose that information first and 
get a confirmation from them. I've already notified everyone I had contact info 
for there, and I'll stay on them.
dev-security-policy mailing list

Reply via email to