看来,谷歌似乎已经收录了百思买的个人邮件订阅页面。
1 分•作者: appel•9 个月前
今天偶然发现了这个问题,因为我用谷歌搜索了一个特定的短语,搜索结果的前两个链接指向了一个个性化的电子邮件(取消)订阅表单,表单顶部显示了个人的电子邮件地址。<p>我觉得这不太好,于是我按照BB的负责任披露政策,将此事提交给了hackerone,但他们关闭了报告,并将状态更改为“信息性”。<p>> 感谢您的提交!
尽管您的发现可能看起来像是一个安全漏洞,但这种行为实际上并没有对平台构成具体且可利用的风险。
百思买仅在这些链接直接从百思买系统中获取的情况下,才会将其视为问题,而这里似乎并非如此。
尽管如此,我们仍然感谢您的努力,并希望您能继续研究并提交您发现的任何未来的安全问题。<p>他们说得对吗?这没什么大不了的,还是我反应过度了?<p>我不确定是否应该在这里分享产生这些URL的实际搜索词,但我很乐意与dang分享。
查看原文
I stumbled upon this today because I googled a certain phrase and the first two results lead me to a personalized email (un)subscribe form with individual e-mail addresses at the top.<p>I thought that that was not great, so I submitted it to hackerone as per BB's responsible dislosure policy, but they closed the report and changed the status to "Informative".<p>> Thank you for your submission!
Although your finding might appear to be a security vulnerability, this behavior does not really pose a concrete and exploitable risk to the platform.
Bestbuy only view this as an issue if the links are obtainable from Bestbuy systems directly which doesn't appear to be the case here.
Your effort is nonetheless appreciated and we wish that you'll continue to research and submit any future security issues you find.<p>Are they right, is this no big deal and am I overreacting?<p>Not sure if I should share the actual search term here that produces these URLs here, but I'd be happy to share it with dang.