This disclosure was from last year and the exploit was patched before the researcher published the findings to the public.
Comment on A Researcher Figured Out How to Reveal Any Phone Number Linked to a Google Account
rollmagma@lemmy.world 9 hours ago
God, I hate security “researchers”. If I posted an article about how to poison everyone in my neighborhood, I’d be getting a knock on the door. This kind of shit doesn’t help anyone. “Oh but the state-funded attackers, remember stuxnet”. Fuck off.
TipRing@lemmy.world 9 hours ago
ryry1985@lemmy.world 9 hours ago
I think the method of researching and then informing the affected companies confidentially is a good way to do it but companies often ignore these findings. It has to be publicized somehow to pressure them into fixing the problem.
rollmagma@lemmy.world 4 hours ago
Indeed, then it becomes a market and it incentivises more research on that area. Which I don’t think is helpful for anyone.It’s like your job description being “professional pessimist”. We could be putting that amount of effort into building more secure software to begin with.
Imgonnatrythis@sh.itjust.works 9 hours ago
I think it’s important for users to know how vulnerable they really are and for providers to have a fire lit under their ass to patch holes. I think it’s standard practice to alert providers to these finds early, but I’m guessing a lot of them already knew about the vulnerabilities and often don’t give a shit.
Compared to airing this dirty laundry I think the alternatives are potentially worse.
rollmagma@lemmy.world 4 hours ago
Hmm I don’t know… Users usually don’t pay much attention to security. And the disclosure method actively hides it from the user until it no longer matters.
For providers, I understand, but can’t fully agree. I think it’s a misguided culture that creates busy-work at all levels.
cmnybo@discuss.tchncs.de 9 hours ago
Without researchers like that, someone else would figure it out and use it maliciously without telling anyone. This researcher got Google to close the loophole that the exploit requires before publicly disclosing it.
rollmagma@lemmy.world 4 hours ago
That’s the fallacy I’m alluding to when I mention stuxnet. We have really well funded, well intentioned, intelligent people creating tools, techniques and overall knowledge in a field. Generally speaking, some of these findings are more makings then findings.