83Views10Replies

Author Options:

Where to report crucial bugs? Answered

Hey, I am posting this topic on the behalf of wanting to know where to directly report a crucial security bug to.
This particular bug allows you to inject arbitrary JavaScript code into the site and thus gives you the possibility to do virtually anything, including, but not limited to, fetching cookies of other people and thus logging in as them etc.

I reported all the other crucial bugs to service [at] instructables [dot] com and they got fixed after some time, but the issue with this one is that I reported it more than a year ago and re-reported and re-poked about it multiple times, still no fix present.

So I wonder where I can contact somebody of the dev team directly so that this bug will actually get fixed!

Discussions

0
None
mmmelroy

3 years ago

if you emailed service@ then you have ccontacted the right people

old_man_glasses.jpg
0
None
Sorunomemmmelroy

Reply 3 years ago

Well, I emailed them several times but the bug is still present after more than a year.

0
None
pseatonSorunome

Reply 3 years ago

If it's this url you mean, as luck would have it, we just released a fix.

0
None
pseatonpseaton

Reply 3 years ago

Ha, well. My own comment got scraped by the backend. Anyways, we did happen to fix one of your reported urls today.

0
None
Sorunomepseaton

Reply 3 years ago

Ah, yes, I did mean that (just checked if the thing is still present), glad that it got finally fixed, I wonder what took it so long, though. Anyhow, it is still generating a 500 internal server error on a single double-quote, you might want to look into that, too, as that could mean some nasty stuff.

0
None
SorunomeSorunome

Reply 3 years ago

(all assuming you meant that injection over the /tag/type-id/category-stuff which I am not able to reproduce anymore)

0
None
Downunder35mSorunome

Reply 3 years ago

Wow the coe monkey got fresh bananas today :)
Security is restored , everyone happy again :)

0
None
Downunder35m

3 years ago

Just post the code in question for everyone to see here and I am sure within a few days someone will react ;)
But jokes aside, if this massive flaw really is that dangerous it makes me wonder about the security priorities here....

I hope it will be finally fixed for good soon!

0
None
SorunomeDownunder35m

Reply 3 years ago

Maybe I shouldn't only post it but also ellaborate how exactly you can use it to steal valuable information of other users? :P

0
None
Downunder35mSorunome

Reply 3 years ago

Hmm, let's recap...
You found the bug...
You know what it can do...
You know how to use it...
So you could just hack the account of someone with enough power and fix the bug yourself ROFL
But it has taken so long already maybe the damage possible is not so great after all.
I mean who would care about some stolen user accounts or some real damage...
Enough bad jokes now, time to wait for someone in charge to make statement on this ;)