|
|
|
|
|
|
by Afforess
4304 days ago
|
|
|
I love how the security researcher, and not the website with the sloppy code, is at fault according to you. You live in a strange world, my friend. Responsible disclosure doesn't really exist, bugs may be used anywhere, any time, and it's perilous to assume that there is a window of "safety" for fixing security bugs. |
|
|
Edit (since you added more):
> Responsible disclosure doesn't really exist, bugs may be used anywhere, any time, and it's perilous to assume that there is a window of "safety" for fixing security bugs.
It is true that you can't assume that there is a window of "safety" for fixing security bugs, but on the other hand, once an exploit is published widely, you know for certain that it's in the hands of everyone. Prior to that you can only speculate.
Now, I know that there is a dance between "give them time to patch it before you guarantee that everyone has their hands on the exploit" and "giving users full disclosure so that they can take their own steps to protect themselves." I don't really see how that works here though. Thinking about it:
1. Current users are just screwed. They can't protect themselves in any meaningful way. Their information is already in the system. [Note: they are a little less screwed without disclosure because there is at least a possibility that no one else has found the exploit yet]
2. New users know to wait to get on the site until after fixes are announced.
That's about it. This isn't some exploit in (e.g.) GnuPG where notifying users potentially prevents them from sending encrypted messages that (e.g.) the NSA could be reading.
Edit 2:
I missed the CSRF attack. In this case, it makes sense to notify users so that they can protect themselves. But users don't need to know the details of the attack to protect themselves. They just need to know that they shouldn't visit other sites while logged into Coursera. A blog post saying "details to follow..." could post the write-up after waiting a reasonable amount of time for a fix.