[ikeboy]

>Ormandy's no hack. That didn't happen.

Like I said, I don't want to speculate on why he published it.

>You can clearly look at the bug report and see that Mr. Ormandy thinks that the issue he reported is resolved. I don't know what you do for a living, but Ormandy does security research for a living. Have you looked into his credentials, reputation, and employer yet? :)

I'm aware this is for Google, and have mentioned that in comments in this thread. I'm not sure why I should believe his implication that everything was resolved over "my own lying eyes". Perhaps if he'd said "this XSS is not an issue" without explanation, I'd be happy, but he doesn't even acknowledge the point in what I can see.

Whether the bug report implies everything is resolved: I'm not so sure. Maybe he considers it resolved because every issue in the original was fixed, and AVG didn't acknowledge the last issue? I have no idea, and he hasn't given enough information for me to have an idea.

I'd sooner believe that something's wrong with the closing of the bug report than something's wrong with my understanding of how this is still a bug. Note that nobody yet has given me any explanation of how it might not be a bug, and HN is probably full of people who could explain it if it was the case.

[simoncion]

> I'd sooner believe that something's wrong with the closing of the bug report than something's wrong with my understanding of how this is still a bug.

Your credentials and ability in the field have not been established despite enquiries by many folks in this sub-thread. At the moment, I'm far more likely to believe that Mr. Ormandy has a far better understanding of the security issues with the AVG Chrome extension and their implications than you do.

> Perhaps if he'd said "this XSS is not an issue" without explanation, I'd be happy...

He marked the bug as Resolved-Fixed and removed the disclosure embargo. I don't know what more you want.

> Note that nobody yet has given me any explanation of how it might not be a bug...

tptacek and many others gave you a couple of really coherent replies in the subthread attached to your initial comment. None of them provide you with the answer you're looking for, but -frankly- you haven't demonstrated that you understand why it's reasonable the embargo on a security bug for a Chrome extension that AVG has made publicly available in the Chrome Webstore and that its security researcher (and -I suppose- AVG) feels fixes his reported problem was removed. :)

Maybe it'd help to know that the extension is currently not available pending an investigation into whether or not it violates any Webstore policies.

[ikeboy]

I clicked on the extension link earlier and it was still available in the webstore for installation. If they pulled it, I may have had a different opinion.

[simoncion]

> I clicked on the extension link earlier...

Ah, I was mistaken. Inline installation is blocked, and inline installation is a special process which is described here. [0] So, AVG could change their site to not use inline installation for a little while until the investigation is completed.

Anyway, it's clear that you don't (and won't) agree with Ormandy. Ormandy has an established track record and is currently employed by a security-focused company, performing security bug elimination work. AFAIK, [1] you're a guy who knows how to spell XSS and nothing more.

Have you... like... even considered that a not-insignificant number of Chrome extensions also expose their users to XSS vulnerabilities? And that... like... maybe that's the current status quo, that the initial issues were beyond the pale, and the remaining possible XSS threat for just two domains -while shitty- is not substantially worse than average?

I mean, just spitballing here.

And if you did consider that, then why on earth would you expect a professional to mention that in a bug report? That's Grade-A gossip rag clickbait.

[0] https://developer.chrome.com/webstore/inline_installation

[1] Because, like, you've not offered up any information regarding your work history and training (formal or otherwise).

[ikeboy]

>Anyway, it's clear that you don't (and won't) agree with Ormandy. Ormandy has an established track record and is currently employed by a security-focused company, performing security bug elimination work. AFAIK, [1] you're a guy who knows how to spell XSS and nothing more.

I don't think he's made a factually incorrect claims. You think his closing implies the XSS was fixed, and if that's the case, I know enough about XSS to know it wasn't fixed (as I said, clicking on his link executes the alert(1) code). If he knows the XSS wasn't fixed but thinks it wasn't a big deal, then he hasn't said anything false. But in that case, I have a ethical problem with his actions, partly because they seem to violate Google's policy, and partly because he's revealing a 0-day in a chrome extension without even removing the extension from the store. The benefits of full disclosure can be debated. But if you currently offer software for download, don't continue to offer it after you've 0-day it without a patch. That seems unnecessarily nasty to your users.

No, I don't work in security. I'm actually in college now. But I know a bit more than just how to spell XSS. What about you?

>Have you... like... even considered that a not-insignificant number of Chrome extensions also expose their users to XSS vulnerabilities? And that... like... maybe that's the current status quo, that the initial issues were beyond the pale, and the remaining possible XSS threat for just two domains -while shitty- is not substantially worse than average?

According to the report, the extension bypasses chrome's detection, which presumably violates Google's policy. So I think it shouldn't have been publicized until the decision whether to keep the extension was completed. Also, I think Google shouldn't publicize information on a currently active XSS, as above.

Now, I just happened to look at the report again, and it has a new comment at the end. He says (in response to someone with the exact same concern as me) "The XSS you're referring to cannot be used as-is due to mixed-content, it was intended to be illustrative only."

So that might account for it, although it still seems like it shouldn't have been released before AVG finishes the audit, or decides not to, or whatever.

[simoncion]

> You think his closing implies the XSS was fixed...

If "the XSS" means "Any XSS/mixed-content issues presented by pages on the two whitelisted domains, as mentioned in Comment #7 of the issue in question.", then no, I don't think that at all, and don't understand how you'd think that I thought that.

As I've repeatedly said, Ormandy believes that the original issue reported by Ormandy is fixed. For the avoidance of doubt, "the original issue" is the issue reported in the issue description.

> ...I have a ethical problem with his actions... I think Google shouldn't publicize information on a currently active XSS ...

Oh, that's very obvious, and has been from the start.

> ...partly because they seem to violate Google's policy...

If they did, he would no longer be working for Google.

> ...and partly because he's revealing a 0-day in a chrome extension without even removing the extension from the store.

Strictly speaking, what you say is true. OTOH, XSS vulns are everywhere on the internet. Additionally, you have to consider that The Bad Guys were likely already aware of the problems that Ormandy uncovered.

> It still seems like it shouldn't have been released before AVG finishes the audit, or decides not to, or whatever.

Think about this:

* The broken extension allowed any MitM, or any evil webmaster to inject code into and effectively disable SSL for every site on the internet.

* The fixed extension only exposes its users to XSS from pages on two domains, both managed by AVG.

Given that Google can't remotely remove the extension from Chrome browsers if it has been installed, what would you do? Refuse to permit AVG to update the extension in the Web Store until they fix all of the XSS issues on those two domains? If so, why?

[ikeboy]

>Given that Google can't remotely remove the extension from Chrome browsers if it has been installed, what would you do? Refuse to permit AVG to update the extension in the Web Store until they fix all of the XSS issues on those two domains? If so, why?

I'm not sure that's a given. They can update it, so why can't they update to a dummy version? (It looks like extensions in the store are signed by Google, not the developer, so they can update themselves if needed. Or at least that's what https://developer.chrome.com/extensions/packaging#upload seems to imply).

But even if we accept the premise, they can allow AVG to update the extension without revealing that there are existing XSS vulns that expose 9 million users.

Even the knowledge that "if you find an XSS in insecure-sites A and B, you can pwn 9 million users) seems highly sensitive, and should not be publicized according to Google's policies as far as I can tell.

>If they did, he would no longer be working for Google.

That's not really an answer. Does it make sense to you that it doesn't violate Google's policy, and if so, how?

[Oletros]

> I'd sooner believe that something's wrong with the closing of the bug report than something's wrong with my understanding of how this is still a bug

Occam's razor plays against you.