From what I understand, there was temporarily a note here from a fellow monk about how I had doubled the damage by revealing specifics.
in reply to Web Security
Please let me assure you that the code snippet I posted
by deliberate action:
Yes, a correlation between the timing of my rant and
my public schedule does indeed reveal that this is a $VERY_LARGE_COMPANY in Silicon Valley. I'll grant that
as a leak. But the web search suggested to me in the
message box revealed only a handful of companies, none
of which is $VERY_LARGE_COMPANY.
- Did not mention the name of the client
- Changed the name of the parameter
- Changed the eval-ish code
Please give me a little credit here. I'm not willing to
compromise my customer's security (even if they've
already done it themselves). I'm just pointing out the
sad state of web security in the world, and being afraid
for my own transactions as I continue to shop and bank
and share information on-line. And hoping maybe I can
stir some of you up to take on security with a bit more vigor, or know when to call in the experts if you don't
see why having eval and fatalsToBrowser were both compoundingly bad news there.
-- Randal L. Schwartz, Perl hacker