Rant and Finding Vulnerabilities in Public Websites
2006 and 2007 in security community came with heavy full disclosure potentially because of the increasing popularity of XSS attacks and Web 2.0, so-called social networking etc.
People started to publicly disclose XSS vulnerabilities, SQL Injection issues and even remote code execution issues in public websites. If you check out websites like XSSed - a public XSS database, sqlinject.blogspot - not well known one for public list of SQL Injection vulnerabilities and Full Disclosure forum of sla.ckers and especially famous so it's begin thread, you will see what I mean.
There are more websites like these and we used to see a new blog post everyday "How XXX website is so stupid because they are vulnerable to XXX in XXX page" posts.
Sorry, but WTF? Can someone tell me what's the point?
I understand that, to releasing an advisory or writing a blog post to force a public website like Google to fix their vulnerabilities but what I don't understand is releasing this kind of potentially critical information in the public without informing the developers / website / vendor. This is just irresponsible, selfish and bloody stupid.
Somehow if you able to find an XSS in a popular website it's even better(!) That means you are a great man who can spot a stupid XSS vulnerability in such a BIG website.
What triggered to me today is an interesting post "Vulnerability found in security tool" from The Spanner. This is not a perfect example of what I'm talking about but clearly perfect example of rant through full disclosure mentality.
From the blog post;
What's wrong with sending an e-mail to Chris and say;
Dude, your CSRF forwarder tool is vulnerable to XSS. Just let you know...
He's another good fella around just like us who's trying to bring some stuff to the community just like you.
Final statement about this I-don't-know-why-but-I-really-pissed-off post. (this statement goes for people who found a stupid vulnerability in big but stupid website)
Finding a vulnerability in a popular website or a software doesn't make you more clever than you are unless the vulnerability is clever, it just reveals the fact that developers of that website or software are muppets.
P.S. I agree to release an advisory or write a blog post about a vulnerability in a public website after it fixed (or ignored for 4-8 weeks), but only if the website is based on community or huge as in myspace, gmail, hotmail, flickr etc. Or if the vulnerability is not so common (e.g. Google UTF-7 XSS or RFP's packetstorm paper) or quite interesting which can be a real world proof for a theoretical attack. Otherwise it's utterly pointless.
End of my daily tantrum...