back to article Choc Factory patches zero day Google for Work hack hole

Google has patched a vulnerability in the Google Admin application that could allow attackers to steal enterprise accounts. MWR Labs researcher Rob Miller reported the sandbox-hopping hole, rated medium severity, which can be exploited by malware residing on a user's device. The flaw can be used to steal Google for Work …

  1. Anonymous Coward
    Anonymous Coward

    See, it works

    You give a company a deadline, and when that deadline passes, you expose their flaws...and then they'll issue a patch.

    1. Pascal Monett Silver badge

      If the deadline is reasonable, yes.

      A better way would be to agree on a deadline. If you can't agree on one, there's a good chance that the company won't be patching anything anyway so by all means, impose a deadline.

      But it's always nicer when people can agree to something.

      1. Steve Evans

        It's a tricky thing to judge.

        It's not safe to assume that the white hat hacker is the only person to discover the flaw, a black hat could have discovered the flaw since, or more concerning, before.

        1. phil dude
          Thumb Up

          Oh yeah...!

          @Steve Evans: and this is something the political classes haven't learnt regarding backdoors.

          Making stuff work properly is hard enough...

          P.

      2. James 100

        No, if you can't agree on a deadline (or equivalent criteria; sometimes there might be a dependence on a third party, like submitting a patched version to the Apple App Store then having to wait for Apple to approve it so users can actually install it) - release it straight away, because they're not engaging properly.

        Anything other than agreeing to expedite a fix with a reasonable timescale sounds too much to me as if they're planning to hide it instead - so if you don't disclose ASAP, you'll probably find their lawyers trying to bury you instead. Every day you delay disclosure is another day they might be using to get a court injunction to gag you about it, as Ross Anderson's guys at Cambridge University have encountered in the past.

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Biting the hand that feeds IT © 1998–2019