I believe Zalewski has explained very well why it isn't a vulnerability, and you couldn't possibly be calling him hostile. :)
On Sat, Mar 15, 2014 at 11:20 AM, M Kirschbaum <[email protected]> wrote: > I have been watching this thread for a while and I think some people are > being hostile here. > > There is nothing to gain being on eithers side but for the sake of > security. As a penetration tester, writer, and malware analyst with a long > and rewarding career...it would be absurd to admit that this is not a > vulnerability. If the content-type fields can be altered and the API > accepts it that is undoubtedly a vulnerability, I believe that it shouldn't > be there. It would be a shame to say that this is not a security problem. > I have seen different responses on this thread but having seen the proof of > concept images as well I just think that some of the people commenting here > are just being hostile. > > It doesn't take much for somebody in the field, to see clearly that Google > does not want to pay. And I bet any amount of money that the bug bounty > program is a way for filing potential threats by name and bank details. > > Rgds, > M. Kirschbaum > > > _______________________________________________ > Full-Disclosure - We believe in it. > Charter: http://lists.grok.org.uk/full-disclosure-charter.html > Hosted and sponsored by Secunia - http://secunia.com/ > -- “There's a reason we separate military and the police: one fights the enemy of the state, the other serves and protects the people. When the military becomes both, then the enemies of the state tend to become the people.”
_______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
