The safe problem of Netvibes
There are a few voices in group of French rich passenger recently: Personalized homepage serves Netvibes to was exposed to give a blemish, developer of a component can use this blemish to accept Google account (the Google user that passes a few carelessness, if I understand correctly) the information of the Netvibes developer with privacy. “This blemish now already by repair, ” guest of Netvibes government gain announces in this week, additional line ” before that component developer is informing us immorally, go up in oneself rich guest revealed this flaw. ” French Google the TomHTML of Zorgloob summed up rich guest the thing of place happening.
– — – — – –
This French says he is to was Netvibes to develop a package first, and obtain agree to be released to the net. Next, you can revise your component without the test and verify of Netvibes. This is absolutely and foolish…
“I checked a website and discovered a flaw. I revise my component to collect the data of the user that uses this component. Need 10 code only. Because this is in this one pace, the mailing address that I can acquire an user, his Feed list (and move the limits of authority that divides Feed) , the note of calendar, network, Gmail ticket that through Mail.google.com/mail/feed/atom this Feed gets… the parameter when I still got this component moves, if go seeing the growth of your Adsense while you use this component,particularly dangerous is… “
Next the rich guest that he founded him, and think of: “In the user of the component that uses me, where is the developer that has Netvibes? ” he is searched ” @netvibes.com ” , next unexpectedly win a prize in a lottery! He finds the developer of a Netvibes.
Next he was examined whats are there in the network note of this developer, lest be forgotten,anybody can write something over… ” over there the develops a site disembarkation that has Netvibes and Wiki name and password! ! ! Useful still will back up the entry name of the database / password, with the database that includes all user data! ” really fab, if not be the screen cut picture that sees him, nobody believes him.
“Through browsing them (private) Wiki page, I discovered the from east to west that Netvibes is developing. Here does not have exclusive newspaper stuff: Of a mobile edition, small to Google part compositive, with well-known trademark (Google, AOL, Skype… ) collaboration, ‘ Netvibes community ‘ found and user information and friend circle. Of a mobile edition, small to Google part compositive, with well-known trademark (Google, AOL, Skype… ) collaboration, ‘ Netvibes community ‘ found and user information and friend circle..
“Next, I can examine all PHP documents, also can find out more flaw! ! ! … finally, I entered those who include an user to log onto a name / the backup database of the password. The password is to use MD5 to add close… but acknowledgment resembles Md5.c.la such website, I can decode the password of 1/5. The worst is very big one part user uses same code in Netvibes and Google account… resemble me same! The worst is very big one part user uses same code in Netvibes and Google account… resemble me same!!
“So I released this text, admonished the safe group of Netvibes next. Admonished the safe group of Netvibes next..
“Give Netvibes the proposal of the group:
? All develops a website codes of modification Netvibes
? Have safe education to developer
? Delete all networks that contain confidential data to take notes
? Intercept is all the entry name that saves tripartite website / the component of the password
? Let all users amend a code
? Contact with me, let me tell you where flaw is
Give the proposal of the user:
? Often change your code
? Do not input confidential data in network note
? Be careful these are new ” 2 ” website, even if they resemble Netvibes same popularity… “
The rich customer that releases this text now had been expunged, I think is him himself of cutout (fear the thing that he reveals) , perhaps may be other what person expunged it…