Hacker Newsnew | past | comments | ask | show | jobs | submitlogin

I wonder which party should pay the bounty in this case. He seems to have reported it to Twitter, however wouldn't it be Google's responsibility to fix this?

Seeing as how it's a combination of an issue in the web server parsing cookies, and the client setting malicious cookies, I'm not sure which party should be responsible for the bounty.



They should both pay a bounty. But if you had to assign blame only one place it would be ECMAscript. Setting the value of an unintended cookie should not be so easy to do by accident.


Nitpick: strictly speaking setting cookies is not part of ECMAScript, it's part of the DOM api.


Cookies are, without a doubt, the worst "API" in the DOM. Here's the entire API: document.cookie

That's it. That one property.To add cookies, modified cookies, delete cookies, whatever, you do an assignment. To read all the cookies, you do a read.

That's it. That's the API.


This is correct, and it's a source of madness.

One more thing: Cookies are limited to 4KB total due to the HTTP/1.1 specification.


Hi, i am the author of this report.

I sent information about this vulnerability to: 1) Google (2 fix in Google Analytics) 2) Django / Python (https://hg.python.org/cpython/rev/270f61ec1157) 3) Twitter (changed CSRF protection) 4) Instagram [Facebook] (sent me to Django)




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: