Attachments from GitHub’s private issue trackers can be viewed without any authentication

Disclaimer: I disclosed this security issue to GitHub, and they choose to not fix it (We have reviewed your report and determined that this functionality is working as expected). This is undocumented behavior, so I am describing it here. Also, note that I am not asking anyone to hack GitHub nor I am going to …

Security: How to obtain someone’s username/login from the “Gmail for work”?

Photo: freeimages.com Short version: Gmail leaks your username. Always! To get username/login information for Google Apps user (paid Work/Business account) you need one email message. Just look at the Return-Path header. Fortunately, you do not know password yet, but combined with other weaknesses (like password reuse) this is not a problem. Determining if someone is …

Warning: HostGator leaks your cPanel usernames, script path, and more

Once upon a time the HostGator was a great hosting company – great technical support, great prices, good performance, predictable policy, etc., and positive-thinking CEO who blogs about the company, about fortunes and failures… Fast forward to year 2012. CEO and founder Brent Oxley sells HostGator to EIG. They are famous of “acquiring a large …