Received: from sog-mx-3.v43.ch3.sourceforge.com ([172.29.43.193] helo=mx.sourceforge.net) by sfs-ml-1.v29.ch3.sourceforge.com with esmtp (Exim 4.76) (envelope-from ) id 1QYQba-0001m1-5D for bitcoin-development@lists.sourceforge.net; Sun, 19 Jun 2011 22:36:34 +0000 X-ACL-Warn: Received: from mail-pv0-f175.google.com ([74.125.83.175]) by sog-mx-3.v43.ch3.sourceforge.com with esmtps (TLSv1:RC4-SHA:128) (Exim 4.76) id 1QYQbZ-00011K-4M for bitcoin-development@lists.sourceforge.net; Sun, 19 Jun 2011 22:36:34 +0000 Received: by pvf24 with SMTP id 24so708143pvf.34 for ; Sun, 19 Jun 2011 15:36:27 -0700 (PDT) MIME-Version: 1.0 Received: by 10.68.22.100 with SMTP id c4mr1870079pbf.270.1308522987149; Sun, 19 Jun 2011 15:36:27 -0700 (PDT) Sender: mith@jrbobdobbs.org Received: by 10.68.40.5 with HTTP; Sun, 19 Jun 2011 15:36:27 -0700 (PDT) Received: by 10.68.40.5 with HTTP; Sun, 19 Jun 2011 15:36:27 -0700 (PDT) In-Reply-To: References: <2B2201C1-E59F-47D4-BF67-08FDB0DDE386@jrbobdobbs.org> Date: Sun, 19 Jun 2011 17:36:27 -0500 X-Google-Sender-Auth: c7exuRZqC8WO_zkDj0Mp5Za52ds Message-ID: From: Douglas Huff To: Gavin Andresen Content-Type: multipart/alternative; boundary=bcaec5215e25d458cb04a6183f1c X-Spam-Score: 1.0 (+) X-Spam-Report: Spam Filtering performed by mx.sourceforge.net. See http://spamassassin.org/tag/ for more details. 1.0 HTML_MESSAGE BODY: HTML included in message X-Headers-End: 1QYQbZ-00011K-4M Cc: Bitcoin Dev , full-disclosure@lists.grok.org.uk Subject: Re: [Bitcoin-development] Bitcoin fun day! X-BeenThere: bitcoin-development@lists.sourceforge.net X-Mailman-Version: 2.1.9 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 19 Jun 2011 22:36:34 -0000 --bcaec5215e25d458cb04a6183f1c Content-Type: text/plain; charset=ISO-8859-1 I know. Please do not take this as a personal attack. Blame MagicalTux's irresponsible behaviour as of late. :( On Jun 19, 2011 5:34 PM, "Gavin Andresen" wrote: > Some of us take private disclosures of vulnerabilities very seriously. > > In any case, the ClearCoin CSRF vulnerability is fixed. Thank you for > bringing it to my attention. > > On Sun, Jun 19, 2011 at 5:54 PM, Doug Huff wrote: >> In light of this decision I would like to report multiple CSRF vulnerabilities in http://clearcoin.appspot.com . >> >> This set of CSRFs are particularly nasty since this is hosted on appspot and uses google account auth. So long as you stay logged into your google account you are vulnerable to this CSRF. > > > -- > -- > Gavin Andresen > http://clearcoin.com/ --bcaec5215e25d458cb04a6183f1c Content-Type: text/html; charset=ISO-8859-1 Content-Transfer-Encoding: quoted-printable

I know. Please do not take this as a personal attack. Blame MagicalTux&#= 39;s irresponsible behaviour as of late. :(

On Jun 19, 2011 5:34 PM, "Gavin Andresen&qu= ot; <gavinandresen@gmail.com<= /a>> wrote:
> Some of us take private disclos= ures of vulnerabilities very seriously.
>
> In any case, the ClearCoin CSRF vulnerability is fixed. Than= k you for
> bringing it to my attention.
>
> On Sun, Jun= 19, 2011 at 5:54 PM, Doug Huff <
dhuff@jrbobdobbs.org> wrote:
>> In light of this decision I would like to report multiple CSRF vul= nerabilities in http://clearcoin.a= ppspot.com .
>>
>> This set of CSRFs are particularly= nasty since this is hosted on appspot and uses google account auth. So lon= g as you stay logged into your google account you are vulnerable to this CS= RF.
>
>
> --
> --
> Gavin Andresen
> http://clearcoin.com/
--bcaec5215e25d458cb04a6183f1c--