Google Won't Fix Flaw That Can Lead To Malware Download

H

HardOCP News

[H] News
Joined
Dec 31, 1969
Messages
0
When has a company refusing to fix a flaw ever ended well? Something tells me now that the issue is getting attention that Google will have a change of heart.

I couldn't quite believe that Google had both understood this issue, and simply shrugged it off. So I opened several reports to make sure understanding, or communicating the issue wasn't the error here. In total, three reports were opened with Google; three reports were closed. I have included the final report here, to which I received the most responses.
 
well that's a big wtf. Somebody @ google's security didn't understand the implications of drive by downloads or redirections from an arbitrary source.
 
Found another flaw as well...

clinton-search-results.jpg
 
If that's true then someone better get their resignation in quickly!
 
Sovereign said:
Not sure if trying to be funny or serious, but Google's official position is that they don't autocomplete anything they determine to be "disparaging."

It won't autocomplete "Donald Trump rac"[ist] or "Donald Trump hates bla"[cks] (note that the refusal to suggest anything about "Donald Trump racist" is new compared to June).

It does do "Donald Trump kkk ice cream" which leads to some nonsensical results.
Click to expand...

I think Hillary has more to lose since Trump gets a rectal exam by the media while hillary is in hiding / protected spaces without question. The policy itself even applied equally is helping one candidate more than the other.
 
  • Like
Reactions: N4CR
like this
I had similar issues with united airlines... reported over 40 bugs each one deemed not important so I gave up its on them. Sometimes the bounty programs seem to be a mess.
 
 
How did a thread about a Google security flaw turn into a political discussion?

Let's keep the talk of how each political candidate sucks to the relevant soapbox. :)
 
This reminds me of a redirection flaw eBay had for years. It could be trivially crafted and the link text and address bar would show the domain was ebay.com.

This google login flaw is important to fix, but I would never click a login link from an email or link put on a random page. I feel relatively safe.
 
This really isn't that big of a deal. Google probably thinks there's no way an infected file can end up in Google Drive. Also, if you're redirected after signing in and are prompted to download a file, you should probably use common sense and NOT download it. If you do download it, well that was mistake number one.
 
evilsofa said:
A quick dump of a few of today's headline news:

The New York Times just made it harder for Hillary Clinton to explain away the Clinton Foundation
Hillary Clinton Has 30 Days to Answer 25 Queries on E-Mails
Media Orgs Donate to Clinton Foundation Then Downplay Clinton Foundation Scandal
State Department says Benghazi emails involving Clinton recovered by FBI
Clinton Foundation Official Requests State Lunch Access, Emails Show
Hillary Clinton’s faulty economic plan
EXCLUSIVE: Hillary Aides Worried About Who Had Access To Her Email Address

You call this a protected space without questions?
Click to expand...
Headlines look serious since the imbalance was getting obvious, except headline #3 kind of supports my point and is about the media, not Hillary. But the substance of it is what matters. Do they take the curated answer from a spokesman or speach as fact? Do they ask follow up questions worth a shit?

Let's see

The New York Times just made it harder for Hillary Clinton to explain away the Clinton Foundation
#1 - basically implies repeatedly that the situation is not serious. Says the lack of proof of guilt in new emails is proof of innocense. Immensely flawed logic there. There are thousands of e-mail deleted forever we'll never see.
Hillary Clinton Has 30 Days to Answer 25 Queries on E-Mails
#2 - ooo. Stating a fact people are going to get elsewhere.
#3 - supports my position.
State Department says Benghazi emails involving Clinton recovered by FBI
#4 - states something that won't be hidden. Accepts Clinton camp no comment and reference to FBI chickening out to suggest prosecution as proof of no wrong-doing even though this is 'new' information
Clinton Foundation Official Requests State Lunch Access, Emails Show
#5 - a minor issue talked up to try to imply nothing serious happened.
EXCLUSIVE: Hillary Aides Worried About Who Had Access To Her Email Address
#6 - interesting the second story on your list where conservative groups are exposing this improper behavior and doing the Media's (so-called) job. That symbolic of the deep digging I've come to expect form the media wrt Hillary. Other comment. Anyone with a fucking brain has been worried about who has had access since the story broke.
 
I'm pretty sure I remember a certain company notifying others of bugs in their software and then making a big deal out of it if they didn't remedy the situation within 90 days....
 
Ultima99 said:
I'm pretty sure I remember a certain company notifying others of bugs in their software and then making a big deal out of it if they didn't remedy the situation within 90 days....
Click to expand...

Ah, but you see this is different. We can't have the good guys fighting among themselves
 
I can see why they think it's phishing, but I don't see why they wouldn't fix it. If they manage to download a file that I think is legit when I look in my D/L directory a week later, I'm hosed.
 
It's just simple phishing. If you're storing raw executables in your google drive you probably deserve to get viruses. I only store archives like zips and tars or things like iso's. Things you can look at before actually running. And for god's sake set your browsers to ask the location to save for each download, that way you won't just click on something and have it automatically appear in your downloads directory.

Looks to me like Aidan Woods was trying to make a quick buck from Google, was denied and is now stamping his feet.
 
jpm100 said:
Says the lack of proof of guilt in new emails is proof of innocense. Immensely flawed logic there.
Click to expand...

To be fair, our entire system of law is based on the presumption of innocence. Unless you can point to irrefutable evidence that someone is guilty, you presume they are innocent.

There are certainly a lot of suspect circumstances in many of the Clinton's dealings, but until you can show actual evidence of wrongdoing, its nothing but a conspiracy theory.
 
Zarathustra[H] said:
To be fair, our entire system of law is based on the presumption of innocence. Unless you can point to irrefutable evidence that someone is guilty, you presume they are innocent.

There are certainly a lot of suspect circumstances in many of the Clinton's dealings, but until you can show actual evidence of wrongdoing, its nothing but a conspiracy theory.
Click to expand...

Even if you have irrefutable evidence someone is guilty, they are technically not guilty until proven so in a court of law as you are semi-implying in your post. So while someone can be actually guilty in reality, they are not legally guilty until proven so. So I think what people are trying to say is "hillary is obviouly guilty in real life" however, as you point out, she is not "legally" guilty because the AG is not willing to indict her. For example, you could watch someone commit a homicide in real life and run away. Just because that person isn't convicted of the crime yet, doesn't mean they didn't commit a crime or that they are not guilty. They just haven't legally been found guilty.

In other words, the concept of innocent until proven guilty is more about the prosecutor having the "burden of proof" rather than an implication that simply because someone hasn't been convicted that they are innocent in reality.
 
Seventyfive said:
Even if you have irrefutable evidence someone is guilty, they are technically not guilty until proven so in a court of law as you are semi-implying in your post. So while someone can be actually guilty in reality, they are not legally guilty until proven so. So I think what people are trying to say is "hillary is obviouly guilty in real life" however, as you point out, she is not "legally" guilty because the AG is not willing to indict her. For example, you could watch someone commit a homicide in real life and run away. Just because that person isn't convicted of the crime yet, doesn't mean they didn't commit a crime or that they are not guilty. They just haven't legally been found guilty.

In other words, the concept of innocent until proven guilty is more about the prosecutor having the "burden of proof" rather than an implication that simply because someone hasn't been convicted that they are innocent in reality.
Click to expand...

In legal terms that is exactly true. The presumption of guilt applies only to criminal prosecution.

In terms of logic, however, it applies to everything.

You may have very strong suspicions that Clinton is guilty of something, but until you have irrefutable proof you can't make the statement that she is "obviously guilty". Coincidences DO happen in real life, and they are a lot more common than most people seem to believe.

The only thing we can for sure say about Clinton in this context, is that if she is indeed not guilty of misconduct, she has at the very least done a stupidly poor job at avoiding the appearance of misconduct. You'd think for someone who has been in politics as long as she has and her family has that she would be intimately familiar with how you avoid the appearance of conflict of interest, by erring on the side of caution, but he has had quite the amount of pissy arrogance on this subject, one of the many reasons I've had such distaste for her.

If it weren't for Trump being the alternative, I would be a never-Hillary person myself.
 
Spidey329 said:
How did a thread about a Google security flaw turn into a political discussion?

Let's keep the talk of how each political candidate sucks to the relevant soapbox. :)
Click to expand...

The echo chamber inmates escaped using a poisoned Google login?
 
The continue parameter is a simple redirect. Basically you'd click on a posted link, login to google, then be forwarded to a fake website. This by itself isn't bad because no credentials were sent to the website. Although, he makes it a little more convincing, by using the fake website to show a fake login prompt and redirect back to google. The two ideas could be harmful when used together, but not independently.
 
You must log in or register to reply here.
Back
Top