Well Russ Jones over at TheGoogleCache just disclosed another cross site scripting vulnerability in Google that I previously verified prior to his disclosure. Russ Jones is more interested in the page rank aspects of XSS as he is interesting in search engine optimization, but he also correctly acknowledged the issues around password and identity theft in Google’s application.
I know I said I wouldn’t discuss Google’s XSS woes for a while, but honestly, this one isn’t my fault! Russ let me know about it a few days back but he found it and disclosed it on his own. Now, I shouldn’t have to say it, but proper sanity checking of input seems like a pretty trivial thing to do. However, as we see, when you have thousands of programmers who are thin on security expertise, it can be very difficult to secure your application. That’s why I don’t trust entering personal information into Google, unless I typed the URL by hand. Call me crazy, but things like this freak me out.
Now, Google’s infosec guys emailed me (I emailed them back but I haven’t heard back from them - not quite sure why, actually). I would love to talk to them about their issues, but haven’t heard back. But this is far from the only vulnerability in Google. In fact, in a few seconds of checking today I found another cross site scripting hole in Google. But disclosure is such an ugly beast. While talking to one web app security expert today who shall remain unnamed, he said that he rarely discloses vulnerabilities anymore, because it’s just not worth his time. He’s not getting paid for it, and it’s not helpful to him to disclose it.
Think about it, I mean, I could easily be treading on some poor security consultant’s toes by finding vulnerabilities that he would be finding for the company in question. Interesting problem we face as a security community.
As a big enterprise I’d love to know ahead of time that I have vulnerabilities in my application. In fact, I’d expect it off the bat. But as I grew my application and expertise, I’d also expect that not many people are nice enough to give me a second chance - especially when there is no remuneration for their efforts. It’s not like Google’s going to give me $1000 every time I find a hole - if they did, there would be a much safer Google out there, believe you me. So in liue of that, Google gets bad press, and I get nothing but the brief sense of self satisfaction in a job well done - and maybe the warm fuzzy feeling that I am giving other security researchers a job in the future by waking these companies up (I might be a nice guy, but I’m not that charitable).
The auction market is an interesting possibility for these types of issues. It’s been tried before but certainly never formalized and certainly never legitimately. If I have an exploit in some major software manufacturer, it is worth next to nothing to me unless I intend to start hacking companies that use it and try to get information from them that I could then resell - ultra blackhat. The second option is to give it to the companies in question - whitehat. The best I can hope for there is to get a job or a free book or something. The last option as an independant security researcher is I can sell it at market - blackhat with plausible deniability. The highest bidder wins.
Think about an auction format that allowed for software exploits to be sold in the same way that any one of a kind, limited format item could be sold. Would the company who’s asset was in peril fork out a few hundred or a few thousand for the trouble? Seems like a small price to pay for avoiding full disclosure, or worse yet, having the vulnerability in question fall into the “wrong” hands to be used against the company in question. Of course, something like this could easily be created, but there’s no way to verify that the exploits work as advertized, so this whole idea is probably barely worth the ones and zeros it’s written on, but it’s an interesting concept that the security industry has not yet figured out.
There is one other option, which is where I give it to consultants who are working for the companies in question. They get to be the bread winner for the company in question, and either pay me out the backend, or throw work or favors my way. That too is blackhat, but at least it gets the vulnerability fixed, and the company gets what it wants from the consultant one way or another - even if the hole was not found by then. For now, I don’t know which camp I’m in, but I do know that these companies aren’t getting their problems fixed like they could be, if we were able to figure out these issues. - And before I forget to mention, no, I’m not looking for a job.