个人的Bestbuy电子邮件订阅页面显然被谷歌索引了。
我今天偶然发现了这个,因为我搜索了一个特定的短语,前两个结果引导我到一个个性化的电子邮件(退订)表单,表单顶部有各个电子邮件地址。
我觉得这并不好,于是根据BB的负责任披露政策将其提交给了HackerOne,但他们关闭了报告,并将状态改为“信息性”。
> 感谢您的提交!虽然您的发现可能看起来像是一个安全漏洞,但这种行为实际上并没有对平台构成具体的、可利用的风险。Bestbuy 只会将此视为一个问题,如果这些链接是可以直接从 Bestbuy 系统中获取的,但在这里似乎并非如此。我们仍然感谢您的努力,并希望您继续研究并提交您发现的任何未来安全问题。
他们说得对吗?这真的没什么大不了的,我是不是反应过度了?
不确定我是否应该在这里分享产生这些 URL 的实际搜索词,但我很乐意与 dang 分享。
查看原文
I stumbled upon this today because I googled a certain phrase and the first two results lead me to a personalized email (un)subscribe form with individual e-mail addresses at the top.<p>I thought that that was not great, so I submitted it to hackerone as per BB's responsible dislosure policy, but they closed the report and changed the status to "Informative".<p>> Thank you for your submission!
Although your finding might appear to be a security vulnerability, this behavior does not really pose a concrete and exploitable risk to the platform.
Bestbuy only view this as an issue if the links are obtainable from Bestbuy systems directly which doesn't appear to be the case here.
Your effort is nonetheless appreciated and we wish that you'll continue to research and submit any future security issues you find.<p>Are they right, is this no big deal and am I overreacting?<p>Not sure if I should share the actual search term here that produces these URLs here, but I'd be happy to share it with dang.