back to article White-listed phish slip through Google Apps

Security probers Patrik Fehrenbach and Behrouz Sadeghipour have found a (since-patched) flaw in Google Apps that allowed criminals to register corporate domains and send white-listed phishing emails from admin addresses. The Choc Factory patched the flaw and handed the duo US$500 by way of thanks. the flaw meant attackers …

  1. Mephistro
    WTF?

    "...and handed the duo US$500 by way of thanks."

    Perhaps I'm being a little bit paranoid, but the amount awarded seems designed to discourage security researchers. Either that or G is pathologically tightfisted. Seriously, US$500?

    1. Robert Helpmann??
      Childcatcher

      Re: "...and handed the duo US$500 by way of thanks."

      Mephisto, you raise a very good point: How much is a security flaw worth? Should the award be based on the severity of the flaw, how much it would be worth on the black market, the amount of time that went into discovering and documenting it, what the company can afford to pay, or something else? Too, Google's behavior raises more general questions such as to how long to wait before disclosing flaws to the public is acceptable.

      Perhaps someone ought to set up an organization to independently rate and track security vulnerabilities. What could make it better? Perhaps, if MITRE were funded by industry rather than government, paid for the discovery of flaws for all members, and had consistent standards for payment, reporting, et cetera... Nah, that would be too much like right.

      1. ratfox

        Re: "...and handed the duo US$500 by way of thanks."

        I believe Google is actually among those who pay the biggest prizes; they were also in the firsts to do it at all. Until two years ago, finding a critical security bug in Windows earned you a heartfelt thank you.

        I believe that in this case, the small sum indicates rather they don't consider the exploit (circumventing spam filters) to be critical.

        1. Tom 13

          Re: they don't consider the exploit (circumventing spam filters) to be critical.

          Since the exploit also allows phishing links into the message, it's a bit more than just circumventing spam filters.

          As for your claim that Google is good because the others are even worse, sorry that dog don't hunt.

  2. John Tserkezis

    "we were successfully able to trick the Google Mail Server into accepting a wrong FROM parameter."

    Am I missing something, or are they trusting what's in the From: field to filter spam?

    I learned long ago not to trust it. If I can grunge it, so can everyone else.

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Other stories you might like