[simoncion]

> If you could stop condescending for a minute...

I'm not condescending. I carefully read everything you wrote.

Carefully read Ormandy's report. Notice how the reported issue is:

"This extension adds numerous JavaScript API's to chrome... Anyway, many of the API's are broken, the attached exploit steals cookies from avg.com. It also exposes browsing history and other personal data to the internet, I wouldn't be surprised if it's possible to turn this into arbitrary code execution."

According to Ormandy, that issue is fixed. Or is your claim that he's lying about this and marking it as Resolved-Fixed just to get it off of his plate or something?

[ikeboy]

Talking about achieving enlightenment sounds condescending, and I wasn't sure how else to interpret it.

>Or is your claim that he's lying about this and marking it as Resolved-Fixed just to get it off of his plate or something?

The issue in 1 is fixed. The last issue in 5 is not. You can clearly look at the given link and see the issue is not resolved. Perhaps he didn't consider the XSS part of the core issue, only being mentioned in comment 5. Or maybe his anger at AVG clouded his judgement? I really shouldn't be trying to figure out why, it's sufficient to point out the what.

[simoncion]

> Talking about achieving enlightenment sounds condescending...

I guess you're not one for Zen koans and The Codeless Code, eh? Guess I'm getting old.

> Or maybe his anger at AVG clouded his judgement?

Ormandy's no hack. That didn't happen.

> The last issue in 5 is not. You can clearly look at the given link and see the issue is not resolved.

You can clearly look at the bug report and see that Mr. Ormandy thinks that the issue he reported is resolved. I don't know what you do for a living, but Ormandy does security research for a living. Have you looked into his credentials, reputation, and employer yet? :)

[ikeboy]

>Ormandy's no hack. That didn't happen.

Like I said, I don't want to speculate on why he published it.

>You can clearly look at the bug report and see that Mr. Ormandy thinks that the issue he reported is resolved. I don't know what you do for a living, but Ormandy does security research for a living. Have you looked into his credentials, reputation, and employer yet? :)

I'm aware this is for Google, and have mentioned that in comments in this thread. I'm not sure why I should believe his implication that everything was resolved over "my own lying eyes". Perhaps if he'd said "this XSS is not an issue" without explanation, I'd be happy, but he doesn't even acknowledge the point in what I can see.

Whether the bug report implies everything is resolved: I'm not so sure. Maybe he considers it resolved because every issue in the original was fixed, and AVG didn't acknowledge the last issue? I have no idea, and he hasn't given enough information for me to have an idea.

I'd sooner believe that something's wrong with the closing of the bug report than something's wrong with my understanding of how this is still a bug. Note that nobody yet has given me any explanation of how it might not be a bug, and HN is probably full of people who could explain it if it was the case.

[simoncion]

> I'd sooner believe that something's wrong with the closing of the bug report than something's wrong with my understanding of how this is still a bug.

Your credentials and ability in the field have not been established despite enquiries by many folks in this sub-thread. At the moment, I'm far more likely to believe that Mr. Ormandy has a far better understanding of the security issues with the AVG Chrome extension and their implications than you do.

> Perhaps if he'd said "this XSS is not an issue" without explanation, I'd be happy...

He marked the bug as Resolved-Fixed and removed the disclosure embargo. I don't know what more you want.

> Note that nobody yet has given me any explanation of how it might not be a bug...

tptacek and many others gave you a couple of really coherent replies in the subthread attached to your initial comment. None of them provide you with the answer you're looking for, but -frankly- you haven't demonstrated that you understand why it's reasonable the embargo on a security bug for a Chrome extension that AVG has made publicly available in the Chrome Webstore and that its security researcher (and -I suppose- AVG) feels fixes his reported problem was removed. :)

Maybe it'd help to know that the extension is currently not available pending an investigation into whether or not it violates any Webstore policies.

[ikeboy]

I clicked on the extension link earlier and it was still available in the webstore for installation. If they pulled it, I may have had a different opinion.

[simoncion]

> I clicked on the extension link earlier...

Ah, I was mistaken. Inline installation is blocked, and inline installation is a special process which is described here. [0] So, AVG could change their site to not use inline installation for a little while until the investigation is completed.

Anyway, it's clear that you don't (and won't) agree with Ormandy. Ormandy has an established track record and is currently employed by a security-focused company, performing security bug elimination work. AFAIK, [1] you're a guy who knows how to spell XSS and nothing more.

Have you... like... even considered that a not-insignificant number of Chrome extensions also expose their users to XSS vulnerabilities? And that... like... maybe that's the current status quo, that the initial issues were beyond the pale, and the remaining possible XSS threat for just two domains -while shitty- is not substantially worse than average?

I mean, just spitballing here.

And if you did consider that, then why on earth would you expect a professional to mention that in a bug report? That's Grade-A gossip rag clickbait.

[0] https://developer.chrome.com/webstore/inline_installation

[1] Because, like, you've not offered up any information regarding your work history and training (formal or otherwise).

[Oletros]

> I'd sooner believe that something's wrong with the closing of the bug report than something's wrong with my understanding of how this is still a bug

Occam's razor plays against you.