[opensource-dev] Malicious payloads in third-party viewers: is the policy worth anything?

Discrete Dreamscape discrete.dreamscape at gmail.com
Sat Aug 21 08:39:53 PDT 2010


I don't care if it's relevant; it should still be clarified. "Did
nobody think?" Of course not, nobody knew he would actually go through
with something like that.


Discrete


On Aug 21, 2010, at 11:31 AM, Katharine Berry
<katharine at katharineberry.co.uk> wrote:

>> 2) The active developer of a malicious viewer under the lolguise of
>> promoting exploit/bugfixing.
>
> As I have pointed out elsewhere – I don't think that anyone was actually considering the target to be terribly virtuous. I also don't think this is terribly relevant.
>
> But given you repeatedly emphasise that he is malicious, did nobody think that it might be unwise to secretly load a website owned by a malicious party on login? Aside from WebKit/Qt exploits and the like, the SL client also considers the login frame to be "trusted" (admittedly, there's not much you can do with this before logging in besides changing the login location, off the top of my head).


More information about the opensource-dev mailing list