Debating whether to let this go on or not, I’d have to say that I am impressed that you’ve come about the way you have. To make a omission like that, stepping outside of pride whenever a mistake has been made, and to take responsibility for it - that shows A LOT of character.

As for the misunderstanding, no harm, no foul - our intent was to get you to sort it out or resolve it with RSnake himself, thereby exemplifying the idea that people don’t have to come to “e-fists” to work out their issues online.

We hope you’ll continue to advance yourself, continue to come back by to visit and maybe we’ll even be able to mirror commentary on some of your finds that you’ll undoubtedly have in the future.

Hello, I’d just like to apologize to you for posting such things here. I’d like to admit now that I’ve been doing a little more research upon this vulnerability which was posted on http://ha.ckers.com and also on here.

That being said, I went to re-read the news article upon Xssed.com and it would seem that I’ve mislead my self to believe that this vulnerability posted here was the very one that I found that was posted on Xssed.com the one I found (which I did) and nobody else to my current knowing has found.

This one and the one I found are different, and if you look at the news post I gave you on Xssed.com it actually links right to the http://ha.ckers.org one showing a totally different one.

An I do agree that it was a mistake on my part that this whole misleading here now happened.

Sorry for the trouble.
-x2Fusion

I’m reading excuses, excuses that lend credit to laziness on your part. Upon entrance to http://ha.ckers.org , you’ll inevitably notice that there is a link “about us” to the right-hand side. Had you taken the time to click on that link, you’d have found that which you seek. Therefore, it absolutely was not impossible - you failed to do your research, just as you have with this claim.

Regarding being an adult, being an adult is a mindset and has nothing to do with your fiscal responsibility. Your immaturity and ego is getting the best of you here. Yes, you do know that the vulnerability was found by you, as well as several others before you - credit isn’t due to someone who is on the tail-end of the ‘discovery’. You’ve caused this ‘commotion’ and we’ve allowed it to remain in the comments - learn from your mistakes.

Please realize, you’ve only served to harm your own credibility with your commentary. Let this be a lesson-learned for your future ventures and good luck in your next efforts. I’m sure you’ll come up with some truly exciting finds if you’re picking this concept up at 16 years old.

You still have approximately 24 hours to contact him wherein I will stand by my word.

That being said, I never had his E-Mail Address to contact him anyway so that was pretty impossible.

Well, I’m sorry I brought this up here, an as for the ‘chance to be an adult’ well I’d like to but I’m not going to lie I’m just not ready to be a responsible adult just yet, I’m just 16 and can’t yet to think of taxes and all that stuff.

Well, I know who truly found the vulnerability first. I don’t mind it being posted here I’m happy with that and to where ever else it was posted it doesn’t bother me, I just wanted it to be known that I was the one which found it and if the credit was given anyway in the first place then it would have saved this little commotion now wouldn’t it?

Either way, this’ll be the last post here from me now. I’ll try and find RSnakes E-Mail if I can then I’ll E-Mail him.

Thank you,
-x2Fusion

I do hope you realize this article is a follow-up/promotional article to his article in attempt to put pressure on Google to fix their mess and raise awareness of their inappropriate views on the security of their operating public.

I wrote RSnake an e-mail regarding it since you decided to post to our site instead of taking the issue up with him directly (note: we didn’t remove your comments however contradictory they might be or discourteous to have been publically posted instead of taking it up with the original author first) referencing your post.

In part, here it is:

“... We've got a fellow on theReformed claiming ( here ) that he discovered the hole you posted about, reference ( here ). I’ve left it to you to confirm or rebutt at your leisure on the site since we wouldn’t be able to responsibly verify it.”

In part, here is his response:

“... I've been too busy to defend myself these days. He may have also found it, but I certainly didn't rip him off. I have got emails with Google that definitely pre-date that post.”

Then, I made a venture to his site to review his the original article - where I saw you posted to his website the same comments. Let me recap what I posted to his site in response to your statement(s):

“@x2Fusion

Instead of concentrating on the fact that the problem is being addressed by outside parties because Google refuses to, you’ve only concentrated on ensuring you get your name in lights.”

I stand by those statements, especially when it wasn’t only RSnake, a respected industry analyst/researcher, that was aware of this problem. He just posted a responsible, comprehensive article referencing the situation - just because some already knew, noone got upset about the fact that he took it to press.

So why the issue for you? Because you feel he took your limelight, your questionable 15 seconds of fame? 2-3 weeks vs at least 2 months friend, you’re still behind the game if we go by even your statements above, ‘fyi’.

So this is what I am going to do for you. I am going to give you the chance to be an adult and take it up with him personally, by e-mail, telephone or carrier pigeon. I will confirm with him whether or not you’ve done that in 48 hours. If you don’t, you’ll probably find something done with your comments ala moderation since we allowed your comment(s) to surface here in the first place.

I’ve E-Mailed Xssed about it and they said I should contact RSnake and it was submitted onto XSSed before it was posted on here as far as I know.

I found it at least two to three weeks before I submitted it onto Xssed, fyi
-x2Fusion

I question the validity of that statement, but I will pass it on to RSnake and if he wishes to counter or confirm, he can at his leisure, especially when his article is published as of “20070817″ and yours was supposedly published as of “20070820″ (three days later).

http://www.xssed.com/news/39/XSS_vulnerability_in_iGoogleGmodules_when_calling_external_widgets/

-x2Fusion