I was wandering the same thing - I remember their blog said "they were investigating whether or not contest rules had been followed". Which is kinda stupid, since attackers don't follow the rules, and could make more than $10,000 by NOT telling you about the vulnerability.
Anyway... I really appreciate his emphasis on never expecting things to be "bullet proof". People need to remember that more.
Cool stuff, but I disagree with Lance's last word. The public (not the technically inclined) is going to expect "bullet proof" performance, so saying you aren't is going to hurt you.
This is a great hack. The company received a message claiming details proving an XSS vulnerability, but the details did not in fact exist until they followed the instructions in the message with the vulnerable interface meaning that in effect the email acted like a call to a function returning a promise[1] which was fulfilled when the message was read.
8 comments
[ 3.0 ms ] story [ 30.4 ms ] threadAnyway... I really appreciate his emphasis on never expecting things to be "bullet proof". People need to remember that more.
1- http://en.wikipedia.org/wiki/Futures_and_promises