Hacker News new | past | comments | ask | show | jobs | submit login

That actually sounds like an awful way to report an XSS. Honestly, as someone that maintains a web service I have to say I'd prefer private disclosure than even the rickroll approach. All it takes is one "genius" doing some copy-paste action and then you're in a world of hurt and damage control.



Regarding this and the other response to me. I would never do what I described. I was just trying to demonstrate to those that don't understand XSS properly, that these issues are serious. I don't think a Rick Rolling really gets that issue across.

If I do an XSS attack against you on github whilst you are logged in, I can compromise all of your source repositories, your code, and in turn, potentially compromise the systems of your users.


End-users aren't who you need to tell. Just site owners. Posting this to HN before it was fixed constitutes (IMO) completely irresponsible disclosure.


I agree. I would not have disclosed this particular XSS flaw until after it was fixed.


Yes, soon after posting I realised it wasn't the best idea I've ever had. I regret posting this before the Github guys got a chance to fix the hole. Not something I'm going to repeat.


You should report to security@github.com next time.




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: