From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from sog-mx-4.v43.ch3.sourceforge.com ([172.29.43.194] helo=mx.sourceforge.net) by sfs-ml-3.v29.ch3.sourceforge.com with esmtp (Exim 4.76) (envelope-from ) id 1QYPx1-0001jl-P6 for bitcoin-development@lists.sourceforge.net; Sun, 19 Jun 2011 21:54:39 +0000 X-ACL-Warn: Received: from mail-yw0-f47.google.com ([209.85.213.47]) by sog-mx-4.v43.ch3.sourceforge.com with esmtps (TLSv1:RC4-MD5:128) (Exim 4.76) id 1QYPx0-00006J-T5 for bitcoin-development@lists.sourceforge.net; Sun, 19 Jun 2011 21:54:39 +0000 Received: by ywa12 with SMTP id 12so1851365ywa.34 for ; Sun, 19 Jun 2011 14:54:33 -0700 (PDT) Received: by 10.236.67.98 with SMTP id i62mr6386156yhd.378.1308520473161; Sun, 19 Jun 2011 14:54:33 -0700 (PDT) Received: from [10.253.253.32] (cpe-70-124-63-160.austin.res.rr.com [70.124.63.160]) by mx.google.com with ESMTPS id e24sm3148998yhk.9.2011.06.19.14.54.31 (version=TLSv1/SSLv3 cipher=OTHER); Sun, 19 Jun 2011 14:54:32 -0700 (PDT) Sender: Doug From: Doug Huff Content-Type: multipart/signed; protocol="application/pgp-signature"; micalg=pgp-sha1; boundary="Apple-Mail-2--499212877" Date: Sun, 19 Jun 2011 16:54:28 -0500 Message-Id: <2B2201C1-E59F-47D4-BF67-08FDB0DDE386@jrbobdobbs.org> To: full-disclosure@lists.grok.org.uk Mime-Version: 1.0 (Apple Message framework v1084) Content-Transfer-Encoding: 7bit X-Pgp-Agent: GPGMail 1.3.3 X-Mailer: Apple Mail (2.1084) X-Spam-Score: 0.5 (/) X-Spam-Report: Spam Filtering performed by mx.sourceforge.net. See http://spamassassin.org/tag/ for more details. 0.5 AWL AWL: From: address is in the auto white-list X-Headers-End: 1QYPx0-00006J-T5 Cc: Bitcoin Dev Subject: [Bitcoin-development] Bitcoin fun day! X-BeenThere: bitcoin-development@lists.sourceforge.net X-Mailman-Version: 2.1.9 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 19 Jun 2011 21:54:39 -0000 This is an OpenPGP/MIME signed message (RFC 2440 and 3156) --Apple-Mail-2--499212877 Content-Type: multipart/signed; boundary=Apple-Mail-1--499212884; protocol="application/pkcs7-signature"; micalg=sha1 --Apple-Mail-1--499212884 Content-Transfer-Encoding: quoted-printable Content-Type: text/plain; charset=us-ascii In light of recent events in the "bitcoin community" I have decided that = private disclosure of issues is doing nothing but making them more = prevalent. In light of this decision I would like to report multiple CSRF = vulnerabilities in http://clearcoin.appspot.com . This set of CSRFs are particularly nasty since this is hosted on appspot = and uses google account auth. So long as you stay logged into your = google account you are vulnerable to this CSRF. Things tested: Changing refund address. Releasing funds. POC code (open this in any browser even from a local file): =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D test
=20 =20 (required)
=20 =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D Javascript auto submittal, hiding in an iframe, and other obfuscation = methods are left as an exercise to the list. This site is run and maintained by Gavin Anderson, aka, the lead bitcoin = maintainer. You should know better Gavin. --=20 Douglas Huff --Apple-Mail-1--499212884 Content-Disposition: attachment; filename=smime.p7s Content-Type: application/pkcs7-signature; name=smime.p7s Content-Transfer-Encoding: base64 MIAGCSqGSIb3DQEHAqCAMIACAQExCzAJBgUrDgMCGgUAMIAGCSqGSIb3DQEHAQAAoIIKXDCCBN0w ggPFoAMCAQICEHGS++YZX6xNEoV0cTSiGKcwDQYJKoZIhvcNAQEFBQAwezELMAkGA1UEBhMCR0Ix GzAZBgNVBAgMEkdyZWF0ZXIgTWFuY2hlc3RlcjEQMA4GA1UEBwwHU2FsZm9yZDEaMBgGA1UECgwR Q29tb2RvIENBIExpbWl0ZWQxITAfBgNVBAMMGEFBQSBDZXJ0aWZpY2F0ZSBTZXJ2aWNlczAeFw0w NDAxMDEwMDAwMDBaFw0yODEyMzEyMzU5NTlaMIGuMQswCQYDVQQGEwJVUzELMAkGA1UECBMCVVQx FzAVBgNVBAcTDlNhbHQgTGFrZSBDaXR5MR4wHAYDVQQKExVUaGUgVVNFUlRSVVNUIE5ldHdvcmsx ITAfBgNVBAsTGGh0dHA6Ly93d3cudXNlcnRydXN0LmNvbTE2MDQGA1UEAxMtVVROLVVTRVJGaXJz dC1DbGllbnQgQXV0aGVudGljYXRpb24gYW5kIEVtYWlsMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8A MIIBCgKCAQEAsjmFpPJ9q0E7YkY3rs3BYHW8OWX5ShpHornMSMxqmNVNNRm5pELlzkniii8efNIx B8dOtINknS4p1aJkxIW9hVE1eaROaJB7HHqkkqgX8pgV8pPMyaQylbsMTzC9mKALi+VuG6JG+ni8 om+rWV6lL8/K2m2qL+usobNqqrcuZzWLeeEeaYji5kbNoKXqvgvOdjp6Dpvq/NonWz1zHyLmSGHG TPNpsaguG7bUMSAsvIKKjqQOpdeJQ/wWWq8dcdcRWdq6hw2v+vPhwvCkxWeM1tZUOt4KpLoDd7Nl yP0e03RiqhjKaJMeoYV+9Udly/hNVyh00jT/MLbu9mIwFIws6wIDAQABo4IBJzCCASMwHwYDVR0j BBgwFoAUoBEKIz6W8Qfs4q8p74Klf9AwpLQwHQYDVR0OBBYEFImCZ33EnSZwAEu0UEh83j2uBG59 MA4GA1UdDwEB/wQEAwIBBjAPBgNVHRMBAf8EBTADAQH/MB0GA1UdJQQWMBQGCCsGAQUFBwMCBggr BgEFBQcDBDARBgNVHSAECjAIMAYGBFUdIAAwewYDVR0fBHQwcjA4oDagNIYyaHR0cDovL2NybC5j b21vZG9jYS5jb20vQUFBQ2VydGlmaWNhdGVTZXJ2aWNlcy5jcmwwNqA0oDKGMGh0dHA6Ly9jcmwu Y29tb2RvLm5ldC9BQUFDZXJ0aWZpY2F0ZVNlcnZpY2VzLmNybDARBglghkgBhvhCAQEEBAMCAQYw DQYJKoZIhvcNAQEFBQADggEBAJ2Vyzy4fqUJxB6/C8LHdo45PJTGEKpPDMngq4RdiVTgZTvzbRx8 NywlVF+WIfw3hJGdFdwUT4HPVB1rbEVgxy35l1FM+WbKPKCCjKbI8OLp1Er57D9Wyd12jMOCAU9s APMeGmF0BEcDqcZAV5G8ZSLFJ2dPV9tkWtmNH7qGL/QGrpxp7en0zykX2OBKnxogL5dMUbtGB8SK N04g4wkxaMeexIud6H4RvDJoEJYRmETYKlFgTYjrdDrfQwYyyDlWjDoRUtNBpEMD9O3vMyfbOeAU TibJ2PU54om4k123KSZB6rObroP8d3XK6Mq1/uJlSmM+RMTQw16Hc6mYHK9/FX8wggV3MIIEX6AD AgECAhEA3puo39RJhNVx/ssfdXafbjANBgkqhkiG9w0BAQUFADCBrjELMAkGA1UEBhMCVVMxCzAJ BgNVBAgTAlVUMRcwFQYDVQQHEw5TYWx0IExha2UgQ2l0eTEeMBwGA1UEChMVVGhlIFVTRVJUUlVT VCBOZXR3b3JrMSEwHwYDVQQLExhodHRwOi8vd3d3LnVzZXJ0cnVzdC5jb20xNjA0BgNVBAMTLVVU Ti1VU0VSRmlyc3QtQ2xpZW50IEF1dGhlbnRpY2F0aW9uIGFuZCBFbWFpbDAeFw0xMTA1MDEwMDAw MDBaFw0xMjA0MzAyMzU5NTlaMCUxIzAhBgkqhkiG9w0BCQEWFGRodWZmQGpyYm9iZG9iYnMub3Jn MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA3ZPhVmPPoaj999EiZAp6e/giHUrh0Pq2 /LjCFtVgP7clqtoStYyz7i9LojgmRqKu6cswpltUICp+rRskK6ISYRYkNf9w587D2xtqHVVjmoH8 afW/B0db4v+wC7wjzh+hFlXZ3q7sZApMqsFgAS3mdF+iEe5nNt9kGD7OhNlVimvNqcpIhJhRBhpW 7vi7/Rt8uVciDOYVARJq7Tb1zZe88wTFkVri075/nFYfikCgU3GccxvcnR9QwC7xoyGFtE/z8qjv 1h1Tn+eS7eEYQveQxMFNnEPHfoihpiSQpQUzEAJK96dwj8ED2CXtNpV6pQ9PCu2HWjXIVpZj+YNN eOSRbwIDAQABo4ICFjCCAhIwHwYDVR0jBBgwFoAUiYJnfcSdJnAAS7RQSHzePa4Ebn0wHQYDVR0O BBYEFGBmA3ruGdgBmCodBzi9QrRBvjz/MA4GA1UdDwEB/wQEAwIFoDAMBgNVHRMBAf8EAjAAMCAG A1UdJQQZMBcGCCsGAQUFBwMEBgsrBgEEAbIxAQMFAjARBglghkgBhvhCAQEEBAMCBSAwRgYDVR0g BD8wPTA7BgwrBgEEAbIxAQIBAQEwKzApBggrBgEFBQcCARYdaHR0cHM6Ly9zZWN1cmUuY29tb2Rv Lm5ldC9DUFMwgaUGA1UdHwSBnTCBmjBMoEqgSIZGaHR0cDovL2NybC5jb21vZG9jYS5jb20vVVRO LVVTRVJGaXJzdC1DbGllbnRBdXRoZW50aWNhdGlvbmFuZEVtYWlsLmNybDBKoEigRoZEaHR0cDov L2NybC5jb21vZG8ubmV0L1VUTi1VU0VSRmlyc3QtQ2xpZW50QXV0aGVudGljYXRpb25hbmRFbWFp bC5jcmwwbAYIKwYBBQUHAQEEYDBeMDYGCCsGAQUFBzAChipodHRwOi8vY3J0LmNvbW9kb2NhLmNv bS9VVE5BQUFDbGllbnRDQS5jcnQwJAYIKwYBBQUHMAGGGGh0dHA6Ly9vY3NwLmNvbW9kb2NhLmNv bTAfBgNVHREEGDAWgRRkaHVmZkBqcmJvYmRvYmJzLm9yZzANBgkqhkiG9w0BAQUFAAOCAQEAj/Ck hfsc3p7aoCSIMGOTVBzBjJBtCwWTUF1d/pnJ7ynWCiEOypIGGe0im5+Y1WH8+fVNgIwlifRSoZ1R oloxXRuqiraKCevG5OC41Evkp67HmrrhlerLxUvoKLg7sDWfYtmQ24whfYEsd3Fm2u6KxoXboyyb fdDhl5BLhWy+5kHHlIaoZjUoHHXOMuOZdhreIcJI54+wehddzwtdrhF0h2KUTm3tvA0e2kTX4Kzz 3JWIzFSsCmTdTx2UdiOBJmWZ8dgdskOSKRYByvSBT+/BsbF+JbJcjCHqDiEmmXQeTNuRDYeCPfkq /HRSrEZMi/RORls1HSA79IOXjvj8RkAKyDGCA/8wggP7AgEBMIHEMIGuMQswCQYDVQQGEwJVUzEL MAkGA1UECBMCVVQxFzAVBgNVBAcTDlNhbHQgTGFrZSBDaXR5MR4wHAYDVQQKExVUaGUgVVNFUlRS VVNUIE5ldHdvcmsxITAfBgNVBAsTGGh0dHA6Ly93d3cudXNlcnRydXN0LmNvbTE2MDQGA1UEAxMt VVROLVVTRVJGaXJzdC1DbGllbnQgQXV0aGVudGljYXRpb24gYW5kIEVtYWlsAhEA3puo39RJhNVx /ssfdXafbjAJBgUrDgMCGgUAoIICDzAYBgkqhkiG9w0BCQMxCwYJKoZIhvcNAQcBMBwGCSqGSIb3 DQEJBTEPFw0xMTA2MTkyMTU0MjlaMCMGCSqGSIb3DQEJBDEWBBRTgeJlgs0yICFYnbqMVlsvFVdx jTCB1QYJKwYBBAGCNxAEMYHHMIHEMIGuMQswCQYDVQQGEwJVUzELMAkGA1UECBMCVVQxFzAVBgNV BAcTDlNhbHQgTGFrZSBDaXR5MR4wHAYDVQQKExVUaGUgVVNFUlRSVVNUIE5ldHdvcmsxITAfBgNV BAsTGGh0dHA6Ly93d3cudXNlcnRydXN0LmNvbTE2MDQGA1UEAxMtVVROLVVTRVJGaXJzdC1DbGll bnQgQXV0aGVudGljYXRpb24gYW5kIEVtYWlsAhEA3puo39RJhNVx/ssfdXafbjCB1wYLKoZIhvcN AQkQAgsxgceggcQwga4xCzAJBgNVBAYTAlVTMQswCQYDVQQIEwJVVDEXMBUGA1UEBxMOU2FsdCBM YWtlIENpdHkxHjAcBgNVBAoTFVRoZSBVU0VSVFJVU1QgTmV0d29yazEhMB8GA1UECxMYaHR0cDov L3d3dy51c2VydHJ1c3QuY29tMTYwNAYDVQQDEy1VVE4tVVNFUkZpcnN0LUNsaWVudCBBdXRoZW50 aWNhdGlvbiBhbmQgRW1haWwCEQDem6jf1EmE1XH+yx91dp9uMA0GCSqGSIb3DQEBAQUABIIBAIa0 nEwugdoy0co/xZSmSF2FL3Q2I1QjrcwOP2svW7D6yUXl2e9xZdvxPehdGg51UJGtGDDzc5vnT5DW HWpskxWyBbwYHEM4g+Tuix0pCey7twTJ51tv4uCZljUzfNc1IrctezhdNmFJQfKIrN+Yq6b81Qnt zmK0pq+va+WVMBez9CnojZaijViQD8agyCWouZhQRPwFE7iTaARwtcuoHpN34TqvNfGpeSOAwi13 6LpFDlN9zzyVeRLgwqbiRQnd2KCzv7yWI+OlzK4bgVB5TPclErhTUvb+rAtAlZM7cDf5uFzsMk1d /ui76BOfwXTFRAZsmyKQRjz6NeTNKuOuNtkAAAAAAAA= --Apple-Mail-1--499212884-- --Apple-Mail-2--499212877 content-type: application/pgp-signature; x-mac-type=70674453; name=PGP.sig content-description: This is a digitally signed message part content-disposition: inline; filename=PGP.sig content-transfer-encoding: 7bit -----BEGIN PGP SIGNATURE----- Version: GnuPG/MacGPG2 v2.0.17 (Darwin) Comment: GPGTools - http://gpgtools.org iQIcBAEBAgAGBQJN/nAVAAoJEEPHkQabDWHPBRUP/RqNgPYEjbzKLNOktnBr1Ec0 VC1k+z6dFoX8FiH4lciF+CFBPHuQ6fsbR9tbVLFVSWmym1F33KVy/7dzsIWbCfGf Q255aHrFQsVFPejxmgzRRLhZ8D19vxp3l69ALMe3QKhVdfdfjykVZwnoeeUx7GnJ kcrcM9VWISp+Lr9Yc/HgsnerDPomAYEmiH4ur/CS6vC2PKayVoAbwh4Cr+5UyBUP /AdYXCRhF1Mci0K3mg3boG8FQkGn+zJJ7s3TB2FMZvK43lSzS1+f2GTfbBZRPVbq 1hyijFZJx/4P4fX6kOICudU/5/8i9X0qgRoqenXf7kJVH4+e29JCXJNOMXMMrMZN au3H6mq6KvmZKMnxZIs4e8G1NIWzO6oOQD7BhUE8A11IlaiNiUYvT+Z1PrV3lfwP PgSUnQo3FmH4dPT+fNydQusN/sLMKdrCzRLUAj6o0ZlAu2nvzHU+spDmDluzwdNo QW7BNdgcpEUVozgFx/gxi0eXUjOfxS120uyCwLbEFWbUqwmmpxMlACpliOU439P3 p4uXpISVIOLmRY2pL2mFx9PEzAc5z4Q4+g+HTZtp9cy5fJ7htZSKItuSbciLNlcS htX8F/g+Ap0W9Lnd+nnVXxZ8YxOufBvfptU9TSIaVq7uhIphluFiF+nMwqjg4PWE BNbnmnNAmUKC7+bLjSzx =e0ef -----END PGP SIGNATURE----- --Apple-Mail-2--499212877-- From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from sog-mx-3.v43.ch3.sourceforge.com ([172.29.43.193] helo=mx.sourceforge.net) by sfs-ml-4.v29.ch3.sourceforge.com with esmtp (Exim 4.76) (envelope-from ) id 1QYQYT-00024d-Gl for bitcoin-development@lists.sourceforge.net; Sun, 19 Jun 2011 22:33:21 +0000 Received-SPF: pass (sog-mx-3.v43.ch3.sourceforge.com: domain of gmail.com designates 209.85.210.47 as permitted sender) client-ip=209.85.210.47; envelope-from=gavinandresen@gmail.com; helo=mail-pz0-f47.google.com; Received: from mail-pz0-f47.google.com ([209.85.210.47]) by sog-mx-3.v43.ch3.sourceforge.com with esmtps (TLSv1:RC4-SHA:128) (Exim 4.76) id 1QYQYS-0000wd-Iw for bitcoin-development@lists.sourceforge.net; Sun, 19 Jun 2011 22:33:21 +0000 Received: by pzk36 with SMTP id 36so4126334pzk.34 for ; Sun, 19 Jun 2011 15:33:14 -0700 (PDT) MIME-Version: 1.0 Received: by 10.143.60.5 with SMTP id n5mr635919wfk.434.1308522794516; Sun, 19 Jun 2011 15:33:14 -0700 (PDT) Received: by 10.142.13.1 with HTTP; Sun, 19 Jun 2011 15:33:14 -0700 (PDT) In-Reply-To: <2B2201C1-E59F-47D4-BF67-08FDB0DDE386@jrbobdobbs.org> References: <2B2201C1-E59F-47D4-BF67-08FDB0DDE386@jrbobdobbs.org> Date: Sun, 19 Jun 2011 18:33:14 -0400 Message-ID: From: Gavin Andresen To: Doug Huff Content-Type: text/plain; charset=ISO-8859-1 X-Spam-Score: -1.6 (-) X-Spam-Report: Spam Filtering performed by mx.sourceforge.net. See http://spamassassin.org/tag/ for more details. -1.5 SPF_CHECK_PASS SPF reports sender host as permitted sender for sender-domain 0.0 FREEMAIL_FROM Sender email is freemail (gavinandresen[at]gmail.com) -0.0 SPF_PASS SPF: sender matches SPF record -0.1 DKIM_VALID_AU Message has a valid DKIM or DK signature from author's domain 0.1 DKIM_SIGNED Message has a DKIM or DK signature, not necessarily valid -0.1 DKIM_VALID Message has at least one valid DKIM or DK signature 0.0 RFC_ABUSE_POST Both abuse and postmaster missing on sender domain 0.0 AWL AWL: From: address is in the auto white-list X-Headers-End: 1QYQYS-0000wd-Iw Cc: Bitcoin Dev , full-disclosure@lists.grok.org.uk Subject: Re: [Bitcoin-development] Bitcoin fun day! X-BeenThere: bitcoin-development@lists.sourceforge.net X-Mailman-Version: 2.1.9 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 19 Jun 2011 22:33:21 -0000 Some of us take private disclosures of vulnerabilities very seriously. In any case, the ClearCoin CSRF vulnerability is fixed. Thank you for bringing it to my attention. On Sun, Jun 19, 2011 at 5:54 PM, Doug Huff wrote: > In light of this decision I would like to report multiple CSRF vulnerabilities in http://clearcoin.appspot.com . > > This set of CSRFs are particularly nasty since this is hosted on appspot and uses google account auth. So long as you stay logged into your google account you are vulnerable to this CSRF. -- -- Gavin Andresen http://clearcoin.com/ From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from sog-mx-3.v43.ch3.sourceforge.com ([172.29.43.193] helo=mx.sourceforge.net) by sfs-ml-1.v29.ch3.sourceforge.com with esmtp (Exim 4.76) (envelope-from ) id 1QYQba-0001m1-5D for bitcoin-development@lists.sourceforge.net; Sun, 19 Jun 2011 22:36:34 +0000 X-ACL-Warn: Received: from mail-pv0-f175.google.com ([74.125.83.175]) by sog-mx-3.v43.ch3.sourceforge.com with esmtps (TLSv1:RC4-SHA:128) (Exim 4.76) id 1QYQbZ-00011K-4M for bitcoin-development@lists.sourceforge.net; Sun, 19 Jun 2011 22:36:34 +0000 Received: by pvf24 with SMTP id 24so708143pvf.34 for ; Sun, 19 Jun 2011 15:36:27 -0700 (PDT) MIME-Version: 1.0 Received: by 10.68.22.100 with SMTP id c4mr1870079pbf.270.1308522987149; Sun, 19 Jun 2011 15:36:27 -0700 (PDT) Sender: mith@jrbobdobbs.org Received: by 10.68.40.5 with HTTP; Sun, 19 Jun 2011 15:36:27 -0700 (PDT) Received: by 10.68.40.5 with HTTP; Sun, 19 Jun 2011 15:36:27 -0700 (PDT) In-Reply-To: References: <2B2201C1-E59F-47D4-BF67-08FDB0DDE386@jrbobdobbs.org> Date: Sun, 19 Jun 2011 17:36:27 -0500 X-Google-Sender-Auth: c7exuRZqC8WO_zkDj0Mp5Za52ds Message-ID: From: Douglas Huff To: Gavin Andresen Content-Type: multipart/alternative; boundary=bcaec5215e25d458cb04a6183f1c X-Spam-Score: 1.0 (+) X-Spam-Report: Spam Filtering performed by mx.sourceforge.net. See http://spamassassin.org/tag/ for more details. 1.0 HTML_MESSAGE BODY: HTML included in message X-Headers-End: 1QYQbZ-00011K-4M Cc: Bitcoin Dev , full-disclosure@lists.grok.org.uk Subject: Re: [Bitcoin-development] Bitcoin fun day! X-BeenThere: bitcoin-development@lists.sourceforge.net X-Mailman-Version: 2.1.9 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 19 Jun 2011 22:36:34 -0000 --bcaec5215e25d458cb04a6183f1c Content-Type: text/plain; charset=ISO-8859-1 I know. Please do not take this as a personal attack. Blame MagicalTux's irresponsible behaviour as of late. :( On Jun 19, 2011 5:34 PM, "Gavin Andresen" wrote: > Some of us take private disclosures of vulnerabilities very seriously. > > In any case, the ClearCoin CSRF vulnerability is fixed. Thank you for > bringing it to my attention. > > On Sun, Jun 19, 2011 at 5:54 PM, Doug Huff wrote: >> In light of this decision I would like to report multiple CSRF vulnerabilities in http://clearcoin.appspot.com . >> >> This set of CSRFs are particularly nasty since this is hosted on appspot and uses google account auth. So long as you stay logged into your google account you are vulnerable to this CSRF. > > > -- > -- > Gavin Andresen > http://clearcoin.com/ --bcaec5215e25d458cb04a6183f1c Content-Type: text/html; charset=ISO-8859-1 Content-Transfer-Encoding: quoted-printable

I know. Please do not take this as a personal attack. Blame MagicalTux&#= 39;s irresponsible behaviour as of late. :(

On Jun 19, 2011 5:34 PM, "Gavin Andresen&qu= ot; <gavinandresen@gmail.com<= /a>> wrote:
> Some of us take private disclos= ures of vulnerabilities very seriously.
>
> In any case, the ClearCoin CSRF vulnerability is fixed. Than= k you for
> bringing it to my attention.
>
> On Sun, Jun= 19, 2011 at 5:54 PM, Doug Huff <dhuff@jrbobdobbs.org> wrote:
>> In light of this decision I would like to report multiple CSRF vul= nerabilities in http://clearcoin.a= ppspot.com .
>>
>> This set of CSRFs are particularly= nasty since this is hosted on appspot and uses google account auth. So lon= g as you stay logged into your google account you are vulnerable to this CS= RF.
>
>
> --
> --
> Gavin Andresen
> http://clearcoin.com/
--bcaec5215e25d458cb04a6183f1c--