<div dir="ltr">On Mon, Mar 4, 2013 at 6:52 AM, Michael Nolan <span dir="ltr"><<a href="mailto:michaeldnolan@gmail.com" target="_blank">michaeldnolan@gmail.com</a>></span> wrote:<br><div class="gmail_extra"><div class="gmail_quote">
<blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">I'm in a extensive email "discussion" right now with a financial<br>
services corporation web site that holds some assets for me as part of<br>
a performance clause in a contract. (I can't move the assets, using<br>
them is stipulated in the contract)<br>
<br>
Some of their "security" features are to not allow auto fill-in of<br>
usernames and passwords, (easily defeatable)... and blanking of the<br>
username if the window loses focus using JavaScript functions,<br>
(irritating, but still defeatable)<br>
<br>
I got annoyed and snooped around until I found who does their security<br>
and sent them a heads up and explanation of why it's not a good idea<br>
to try to implement security measures inside a users browser.... also<br>
a possible scenario on how it could be exploited.<br>
<br>
Needless to say this was not appreciated and I got a nasty-gram<br>
telling me they are watching me and not to screw around with the site.<br>
<br>
No "Thanks, we'll look into it..." or anything like it.<br>
<br>
Nice.<br>
<div class="HOEnZb"><div class="h5"><br></div></div></blockquote><div><br></div><div style>And these are the companies that wonder why there are some researchers who still prefer "full disclosure" to "responsible disclosure." (And some pseudo-researchers who prefer "paid disclosure.") </div>
</div><br clear="all"><div><br></div>-- <br>David Tomaschik<br>OpenPGP: 0x5DEA789B<br><a href="http://systemoverlord.com" target="_blank">http://systemoverlord.com</a><br><a href="mailto:david@systemoverlord.com" target="_blank">david@systemoverlord.com</a>
</div></div>