Security: Digg Versus Furl

15 Feb 2006

While adding links to my feed, I noticed similar security vulnerabilities in both Digg and Furl. (Josh Ribakoff of DevNetwork Forums played a part in discovering Furl's vulnerability.) Of course, I immediately notified each of them and offered a simple example exploit. I was happy to find that both sites provide contact information. Digg's is easy to find (a Contact Us link at the bottom), and Furl's takes some digging (sorry for the pun), but my experience with other sites has been much worse.

I was disappointed by their initial response. I don't mean to suggest that I expected a personal email or acknowledgement, but I had hoped to see the vulnerabilities fixed within a relatively short period of time. After a week or two had passed, I decided to contact them again, stressing the severity of the vulnerability (and simplicity of the solution). Digg immediately replied:

Thank you for your concern and feedback, we will sure look into it.

Within a few days, the vulnerability was fixed.

Furl did not respond, nor have they fixed the vulnerability. At best, this illustrates a breakdown in communication. At worst, it shows a lack of concern for their users' safety.

Update: Michael from Furl responded (see comments), and he left a direct email address that you can use to report security issues. The vulnerability has not been addressed, but hopefully that will happen very soon.