I'm glad Google took the report so seriously and corrected the problem before anyone could do anything scary with it. Oh wait...
Thanks for the link Kyle. -----Original Message----- From: Kyle Creyts [mailto:[email protected]] Sent: Tuesday, June 05, 2012 11:58 AM To: Michael J. Gray Cc: Jann Horn; [email protected] Subject: Re: [Full-disclosure] Google Accounts Security Vulnerability from full-disclosure to in-the-wild in less than 3 weeks http://lists.grok.org.uk/pipermail/full-disclosure/2012-May/086850.html to http://share.cloudflare.com/3g1X141s2s3J2G2Z0e0O On Tue, May 22, 2012 at 3:16 AM, Kyle Creyts <[email protected]> wrote: > Creating test accounts and reproducing this bug sounds like a > responsible thing to do. > > On Sun, May 20, 2012 at 4:22 PM, Michael J. Gray <[email protected]> wrote: >> That was a bit ambiguous and I apologize for that. I meant that I had >> reproduced the issue several times, not created test accounts. I'm >> willing to bet it's not just a few accounts being affected. >> >> -----Original Message----- >> From: Jann Horn [mailto:[email protected]] >> Sent: Sunday, May 20, 2012 4:39 AM >> To: Michael J. Gray >> Cc: 'Thor (Hammer of God)'; 'Dan Kaminsky'; >> [email protected] >> Subject: Re: [Full-disclosure] Google Accounts Security Vulnerability >> >> On Sat, May 19, 2012 at 12:04:43PM -0700, Michael J. Gray wrote: >>> On why I don't want to provide my email address to Google: >>> >>> It's a different email address which I don't want associated with >>> this email address for various reasons. That is why I am not going >>> to provide >> it. >>> >>> Your assumption that it's a simple piece of information and requires >>> no effort to give out is correct, but the impact of the association >>> is unwanted. >> >> Sounds reasonable. >> >> >>> The fact that Google can create a test account and reproduce the >>> issue (as I have now done several times) tells me that they want the >>> account information for some other purpose or that they're just being lazy. >> >> So, you now have a test account that doesn't reveal any secrets about >> you and which is affected... so you could surely give Google the name >> of that one? >> >> _______________________________________________ >> Full-Disclosure - We believe in it. >> Charter: http://lists.grok.org.uk/full-disclosure-charter.html >> Hosted and sponsored by Secunia - http://secunia.com/ > > > > -- > Kyle Creyts > > Information Assurance Professional > BSidesDetroit Organizer -- Kyle Creyts Information Assurance Professional BSidesDetroit Organizer _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
