|
|
|
|
|
|
by bigiain
5578 days ago
|
|
|
For what it's worth, my takeaway on this is not that Qato "ripped off Quora", to me its quite clear they're building an engine for Q&A websites, and they've used Quroa (and Stackoverflow) as examples of what you can build with it. Not so much "ripping off" - I see it more like the sort of Photoshop demo where a guy on stage recreates some well known image to show off Photoshop as a tool. The problem is, their tool has at least one xss vulnerability. I've been there myself, and usually a single xss vulnerability is an indication that the underlying design of the system didn't take xss (and probably web security in general) seriously enough. It's _possible_ this was just a single place where user supplied data sanitisation wasn't done correctly, but I'd bet good money that it's indicative of a development mindset that failed to be paranoid enough. I'll bet there's a bunch of places they're going to find exactly the same error, and won't be at all surprised to find SQL injection vulnerabilities, http header vulnerabilities, and any of a whole bunch of other "common web programming" errors. I'll be amazed if right now there aren't a bunch of people running fuzzers against any site suspected of having the Qato "engine" underneath it. I'll not be at all surprised to hear several of them get compromised before the weekend and start running dick-pill-seo spam... |
|
|
[Edit: I already feel kind of bad about this comment. I love me some 3$ multi-meters. Still. Analogy stands.]