Me and AOL (An 3pic saga)

First of all let me start off by addressing those trolls that say that XSS is not a serious vulnerability . Even though it is one of the most common types of vulnerabilities in Web application’s it is still a major threat . I am not gonna start preaching you so here is a article by Mr.Troy Hunt : http://www.troyhunt.com/2012/08/why-xss-is-serious-business-and-why.html

That being said , I dont bother reporting “most” XSS vulnerabilities, The reason being I that I am a lazzzy person.

So let me tell you a “story” , its about me a “really nice guy” who tried to reach out and help AOL (expecting nothing in return),but was faced with a cocky “I don’t care” attitude which hurt me and my pride.Which finally lead me to this(ranting on about it on an obscure blog XD ).

So about a week ago, I wanted to add my site to most of the crawlers in hopes of getting more traffic.A friend of mine suggested me to add myself to http://www.dmoz.org/ (alexa rank:  824 )so I visited it.When I opened it I got that sudden ”6th sense urge” and could not stop myself from checking if the search form is vulnerable to XSS , voila as expected it was.I sent a mail to the admin (still NO reply) and noticed the “In partnership with AOL search” bit so I went  in randomly checked if AOL (alexa rank:67) had any XSS vulnerabilities.

I gave them enough time to fix now its time to go for FULL DISCLOSURE http://www.twitlonger.com/show/jlfkdp

 

And lord behold it was riddled with them !!

 

After some time I actually got bored with finding one at every corner , and thought I should try to contact them and let them know about.And now the toughest job of contacting the security team them began .

First of all they had no section to report vulnerabilities or a feedback form as they call it.

I filled up a few of them and still have not got ANY reply.

A “help” post on how to contact the security team that I made in the discussions thread was REMOVED (proving that the moderators ,saw it and dint bother replying but instead deleted it as it would damage their reputation )

Hence I mailed all the Id’s I could find asking them to connect me to the security team.

Let me post a few naive replies I got from them

I explained to them again and got this reply

And since that dint work I mailed them again

Yet again I sent them a mail

By now most people would have given up , but I am an arrogant person so I mailed them again

And that’s when I broke ! and set out to write this post !

You might be wondering why I included the alexa.com rank for the site’s, that’s cause I wanted to show you all how even a small site has more instinctive to fix a vulnerability  but AOL with its hundreds of workers could not even bother giving me a proper reply.

They were all soon fixed.

So for those who are wondering whats the point of this ?

Well I really dint know. But I think I wanted to show the world how people treat us and to tell AOL to follow the path of Paypal , Microsoft etc allowing people to at least securely report vulnerabilities ,even if you are not paying them at least acknowledge the people who give time and resources out of their lives to help you!

Tell me is that too much to ask ?

 

PS: Post your comments :)