top | item 23714553

(no title)

They started a fire through mild negligence, denied the fire existed, and only put out the fire when the entire neighborhood started yelling.

It was a forgivable-but-negligent decision to write/approve that code in the first place. It was a sign of a bad process that a reported security vulnerability was not escalated to people security-conscious enough to immediately identify this as a major problem.

I don't agree with the outrage. Anyone who has followed DDG knows they're legit. They just need to do a bit better. They probably will.

Their main feature is privacy. They should be at least as sensitive to privacy vulnerabilities as their most aware users.

DDG should announce that they now pay out privacy-related vulnerabilities like this and send the reporter $5k. It would be good honest PR and well worth the expense.

discuss

jiofih|5 years ago

Correct me if I’m wrong, but by default DDG uses redirects to prevent leaking your search queries through the referrer, so they already can technically see every URL you visit. Except their whole product and system is designed around protecting privacy and not storing that data. If the favicon endpoint respects the same rules (which it obviously does), it is no different.

sam0x17|5 years ago

Except the favicon thing applies not just to searches on DDG, but every page you visit if you use this browser