Hacker News new | past | comments | ask | show | jobs | submit login

Why post a big public dig? If there's a problem, make the world a better place by helping to solve it maybe? Just having a bad day?



1) they know exactly what they are doing; 2) arbitrary 3rd party JS running in privileged contexts (dashboards) is a wider problem I would like to draw attention to; 3) It's not immediately exploitable; 4) It takes five seconds to understand what the problem is; 5) I did not want to wait 90 days to be told "we are not going to fix this;" 6) my history of reporting problems (not security related) to the company in question is that they are not very responsive to fixing them.


I was with you until I saw this on your consulting pitch:

Write. I have written at least ten posts that made the front page of Hacker News / Programming Reddit (nb - Those aren't the best proxies for quality or popularity, but they are well known proxies). I can help kickstart your company's engineering blog, or work with your team on story/content ideas.

Now I'm not sure how much making the front page motivates your writing process. It is an interesting topic but I feel it would be a stronger case to demonstrate the issue across products from multiple vendors, though less incendiary/front-page-y.

PS. Props for not being the one to submit this particular article!


Not all of the companies you listed are analytics company, just FYI.


Umm, either its a problem and worth reporting responsibly, or not a problem and so not worth a hit piece on your blog?


It's only worth reporting "responsibly" if waiting might prevent users from being hurt. The way that concept has been manipulated into implying that the companies are owed an early warning is crap. The author doesn't owe CircleCI anything.


Precisely


This comment highlights the problem with calling disclosure 'responsible', because the word is used subjectively.

What you as a commenter, or a company (usually prefers to quietly fix this), or the wider user base (usually prefers a 'heads up' immediately), all have different opinions about what they see as responsible.

Also, it doesn't seem fair to dismiss this disclosure as a 'hit piece' unless it is factually incorrect.


Because it's a rampant problem not limited to them, and not obvious, and nobody seems to care? This is a good example for getting the target market to understand the dangers of just dropping in the latest js tool that marketing wants.

I used to be in ad tech, it always baffled me that we had first party js on every single customer page. Conceivable if we were breached, someone could inject code to read every login token or cc# or anything and send it to their servers.




Join us for AI Startup School this June 16-17 in San Francisco!

Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: