User Details
- User Since
- Apr 25 2018, 7:59 PM (343 w, 16 h)
- Roles
- Administrator
- Availability
- Available
Oct 29 2022
T25#429 is now fixed (Google notified me on Feb 19, 2022, and I could verify it now). Thus, publishing the whole report.
Jul 15 2022
Oct 24 2021
I just checked T25#429 hasn't been fixed yet, so I just sent a message in the Buganizer bug to state that.
Google sent the automatic "Our systems show that all the bugs we created based on your report have been fixed by the product team" message on Jul 3, 2021, so I'm marking this as verified.
Jun 26 2021
I'm marking this report as fixed since I've just checked that all the reproduction steps shared here don't work anymore (the endpoints seem to be properly protected now).
On Jun 15, 2021 I contacted Google:
Jun 15 2021
This has been fixed a long time ago by Google. Unrestricting access.
I just confirmed that the main vulnerability is fixed, while the one in comment T25#429 isn't.
Feb 20 2021
Google mentioned on Jan 7 that a bug report was filed based on my report, so I'm marking this issue as accepted.
Jan 26 2021
Jan 8 2021
Another vulnerability similar to this one has been reported to Google on Jan 8, 2021 as a comment in the same bug opened by this vulnerability report, due to the similarities between both vulnerabilities.
Jan 2 2021
Sep 15 2020
Jul 20 2020
The blocking report has been published, so publishing this report too.
On Feb 14 2020, 8:47 PM, Google told me they fixed the issue and I could also verify the issue was fixed. Therefore, I'm marking this report as Verified and disclosing it to the public.
On May 16 2020, 2:34 PM, SAE told me the developers fixed this issue, and I could verify this, so I'm marking this report as verified and disclosing it to the public.
May 14 2020
Apr 19 2020
Apr 15 2020
Apr 14 2020
Marking as verified because UB's SAE confirmed that the vulnerability was fixed on Feb 21 2020, 12:14.
Feb 23 2020
On Feb 21, 2020, SAE confirmed that the vulnerability was fixed. From my end it also seems like it is fixed, so I'll be changing its status to verified and will publish it.
Feb 18 2020
This vulnerability seems to be fixed from my end since a couple of days ago. Therefore, I'm marking it as fixed.
Feb 4 2020
On Sep 12, 2019 Google confirmed that the vulnerability was fixed, so I'll publish it now.
Jan 19 2020
On Jun 20, 2019 12:06 AM Google replied:
Changing its status to "started", because SAE (Servei d'Atenció a l'Estudiant) told me on Jan 16, 2020:
Jan 13 2020
I haven't received any response, so I just sent them an email saying that I'll set this report to be autopublished in a week (which means setting the deadline field to 154 days), given that I verified that the issue was fixed.
Nov 27 2019
Since I reported the vulnerability in August, I only contacted them once again on Sep 2 to confirm whether they received the vulnerability details or not. They didn't reply and so I didn't know whether they actually received it.
Nov 20 2019
Nov 19 2019
Sep 17 2019
CESICAT sent me an email on Sep 13, 2019, 4:54 PM stating the following:
Sep 9 2019
I haven't updated this report for a long time, so this is the timeline of the most important events since CESICAT had access to the vulnerability details until now:
Aug 23 2019
T13 and T14 were considered the same bug by Google in their own issue tracker, so I marked T14 as a duplicate of T13 in my issue tracker.
Aug 19 2019
Jul 21 2019
Jun 19 2019
On Jun 19, 2019 4:23 PM I contacted Google again in order to tell them that 89 days have elapsed since the reporting date and to inquire about whether the fix was already implemented or not.
Jun 15 2019
Jun 11 2019
I emailed an AES-256 encrypted ZIP file with a translation of this report in Catalan on Jun 10, 3:18 AM and I just gave CESICAT the key via another contact method, so I'm setting this vulnerability as reported on Jun 11, 1:00 PM because this is when they first had access to the document.
Jun 10 2019
Jun 5 2019
Prinsen Group seems to have disappeared completely from the map and exactly 1 year has passed since the vulnerability was first known, so I'm disclosing it publicly and marking it as WontFix.
On Apr 24 2019, 8:39AM Google said:
Apr 22 2019
On Mar 23, 2019 2:41AM I sent Google another email detailing another vulnerability I found in the same API:
Mar 22 2019
Mar 19 2019
The third party says the vulnerability is fixed and I could verify it too, so I'm publishing the vulnerability.
The third party says the vulnerability is fixed and I could verify it too, so I'm publishing the vulnerability.
Mar 18 2019
Mar 17 2019
I received a repsonse from them on Tue, Mar 12, 6:44 PM:
Just as an observation, this report was sent to pau@ub.edu on Feb 7, 2019, 12:43 AM, 20 days ago.
I've been quite busy for the last week so I haven't been able to update this issue until today.