“Can you get a visual on the security camera?”
“No, he’s hacking our IP address server with his Bluetooth tablet!”
1 Like
What is more concerning, in this case, is the vendor’s absolutely unacceptable response time(‘last fall’ and still no resolution? For a ‘security’ product? Pitiful); and the flavor of vulnerability.
“Hey, let’s see if that field can handle atypically long inputs…” is among the most elementary ways of poking at something to see if it will fall over; and failing to validate inputs even for length(never mind escape sequences, unicode freakery, etc.) suggests that somebody didn’t know, didn’t care; or both.
Even if those are actually, by some miracle, the only flaws, the response time is inexcusable; but when somebody bungles a really, really, basic aspect of hardening the system; you have to wonder what other exciting surprises are lurking, waiting to be discovered.
1 Like
I triage a lot of serious incoming security bugs (and the not-so-serious ones). This would not be classified as that extreme of a bug given its limited use case and difficulty to trigger in real life. Burglars don’t do this. They throw a rock through your window/sliding glass door (or kick a door in) and waltz through.
Moderate to low security issues are never prioritized in a code base, only serious ones. So, frankly, I’m unsurprised.
This topic was automatically closed after 5 days. New replies are no longer allowed.
