June Will Be Month of Search Engine Bugs

← Back to Stories (view on slashdot.org)

June Will Be Month of Search Engine Bugs

Posted by CmdrTaco on Sunday May 20, 2007 @04:23AM from the put-on-your-hard-hats dept.

De Garmo writes "A Ukranian hacker known as "MustLive" has announced plans for a Month of Search Engine Bugs project in June 2007. The plan is to shake out cross-site scripting bugs in the most popular search engines (think Google, Yahoo, MSN, Ask.com) and publish details on these flaws. From the article: "[The] purpose of this Month of Bugs is a demonstration of real state with security in search engines, which are the most popular sites in Internet. To let users of search engines and web community as a whole to understand all risks, which search engines bring to them. And also to draw attention of search engines' owners to security issues of their sites.""

60 comments

Min score:

Reason:

Sort:

i wonder... by Anonymous Coward · 2007-05-20 04:38 · Score: 1, Funny

will we eventually be able to google for these bugs?
A few to get started with by thornmaker · 2007-05-20 04:39 · Score: 5, Informative

Here's a few to get off the ground with: http://sla.ckers.org/forum/read.php?3,44,page=47
1. Re:A few to get started with by baadger · 2007-05-20 07:57 · Score: 1
  
  Yet another reiteration of why you should use NoScript (or similar controls in your browser of choice) to only enable javascript on sites (preferably with one click) when they aren't working, and why more sites should be specifying their need for Javascript.
2. Re:A few to get started with by klept · 2007-05-20 14:16 · Score: 1
  
  Ok I assume these search engines are to be used in place of the more popular search engines during bug month. Do all of these search engines have their own developed algorithms and other programming procedures for search? Or are they using Google's or some other popular search engine's algorithm for their search. As am sure you know, many search engines use a more popular se's alg. Think Yahoo was using Google's at one time. If all of these se's have their own independent algorithms, they will very useful in bug month because of course the targets will be those with some percentage mass. But they wont be as good as Google which is so popular because it is still the best.
3. Re:A few to get started with by klept · 2007-05-20 14:24 · Score: 1
  
  Two things forget to mention One is thank you. The other is that I could be completely wrong lol about the search algorithm having anything to do with xss.
Well by TheRealMindChild · 2007-05-20 04:39 · Score: 1, Interesting

Well, if it is "bugs" you are looking for (not just security exploits), here is one:

Try searching google for "\\.\"

You Windows driver programmers should know what it is about.

--

"When life gives you lemons, don't make lemonade. Make life take the lemons back!" -- Cave Johnson
1. Re:Well by binaryspiral · 2007-05-20 04:43 · Score: 1, Informative
  
  Try searching google for "\\.\"
  
  You Windows driver programmers should know what it is about.
  
  http://www.google.com/search?q=%22%5C%5C.%5C%22
  
  Brings up nothing, but I'm interested to read what you find.
2. Re:Well by zaajats · 2007-05-20 04:51 · Score: 4, Informative
  
  I'd say the response is exactly the same as with "(", meaning the special sequence is not special after all and that google simply ignores all-symbol searches. Or something.
3. Re:Well by Anonymous Coward · 2007-05-20 05:11 · Score: 1, Interesting
  
  Submitting a completely blank search box just sends you to the google homepage.
  http://www.google.com/search?q=
  
  Searching for something that returns no hits gives you a helpful message
  http://www.google.com/search?q=ncjkxhsk%5Caflhjsdk a
  
  But searching for only symbols gives you a nice blank page!
  http://www.google.com/search?q=()())
  
  Fun and games with google!
4. Re:Well by Anonymous Coward · 2007-05-20 06:22 · Score: 0
  
  Try searching google for "\\.\"
  You mean like this?
5. Re:Well by Anonymous Coward · 2007-05-20 06:33 · Score: 0
  
  But searching for only symbols gives you a nice blank page!
  You get the same result if you search for just a space.
6. Re:Well by highonlife · 2007-05-20 06:36 · Score: 2, Interesting
  
  Here is something that should be more of interest.
  
  Search for ".com" in google.
  http://www.google.com/search?hl=en&q=.com&btnG=Goo gle+Search&meta=
  The first site found is microsoft, the second site found is yahoo. Now if i understand the pagerank system correctly, and i find this reasonably hard to believe, this means that more people link to yahoo and microsoft than google itself? Further down the page you find amazon, and even ask.com
  On the other hand, i think this is reasonable proof that google isnt doctoring it's search results to lower the page rank of its main rivals. Or in Google's eyes...is this a bug?
7. Re:Well by Jeff+DeMaagd · 2007-05-20 06:44 · Score: 1
  
  I think it's annoying that Google removes symbols, and I think other search engines do too. It makes doing searches for specific things very hard. Heck "10-200" (in quotes) won't give you only exact matches, it will return any page with 10 and 100 in it rather than the specific string. Advanced mode exact string search didn't do me any good last I tried it. It's important for looking up very specific things, like model numbers or part numbers and any thing that doesn't match exactly isn't relevant to the search.
8. Re:Well by caffeinemessiah · 2007-05-20 06:44 · Score: 1
  
  Not necessarily. There's a good chance the "." is being stripped, so what you're searching for is "com". Microsoft Component Object Module (COM) comes up first, but that's not surprising because it's been around for years.
  
  --
  An old-timer with old-timey ideas.
9. Re:Well by highonlife · 2007-05-20 06:49 · Score: 1
  
  I would normally agree with you, but how does that justify yahoo at number two?.
  The only reason yahoo is at number two (if i understand the highlighting correctly) is because it is catching the ".com" in yahoo.com.
  If fact, (i dont know what they call these ...sublinks...the ones that are tabbed away and below the main link) the sublink to the microsoft link (which is about COM at number 1) is to microsoft.com, again found by the *drum roll please* ".com" in "microsoft.com".
  
  If anyone makes a "com again" joke just because they are confused by what i said, ....its wholly justified.
10. Re:Well by Draykwing · 2007-05-20 08:11 · Score: 1
  
  You know, some other people have been suggesting that Google removes symbols from their searches, but I don't find this to be true. As an example, google (with quotes) "foo.*baz" . You will notice that bar is also bolded , as just as if it was (gasp) a search term. Why? Because regexes work, that's why!
11. Re:Well by jez9999 · 2007-05-20 08:20 · Score: 1
  
  Indeed. Try this.
  
  --
  == Jez ==
  Do you miss Firefox? Try Pale Moon.
12. Re:Well by thzinc · 2007-05-20 10:24 · Score: 1
  
  Actually, you should search for site:com...
13. Re:Well by zaajats · 2007-05-20 10:45 · Score: 1
  
  I think it's annoying that Google removes symbols...
  
  I totally agree, but also believe this is a case where the technical difficulty of fixing it actually is significant - in addition to creating indexes of single words (and numbers) they'd also have to index all punctuation etc (in addition to word order, which they already do)
14. Re:Well by selbk · 2007-05-20 13:29 · Score: 1
  
  .com again?
  
  --
  This sig was made on a Wednesday. Take that, Commie.
...however... by inertia187 · 2007-05-20 04:43 · Score: -1, Flamebait

People in Soviet Russia, however, appear to be afflicted with amusing juxtapositions of the aforementioned situation.

--
A programmer is a machine for converting coffee into code.
SLAVA UKRAINA by Anonymous Coward · 2007-05-20 04:46 · Score: -1, Offtopic

SLAVA UKRAINA!!!!!
Can I make a request? by SilentChris · 2007-05-20 04:59 · Score: -1, Redundant

This has nothing to do with search engine bugs, but as I'm conversing with offshore programmers/admins/etc. more and more, I'm running into this and it's really starting to irk me.

* If you're going to make declaration in English, please speak properly.

Nothing derails a serious attempt at disclosing security issues more than "[The] purpose of this Month of Bugs is a demonstration of real state with security in search engines, which are the most popular sites in Internet." It should be something like "The purpose of this Month of Bugs is a demonstration of the state of security of the most popular sites on the Internet: search engines."

I understand not everyone is a native English speaker. Fine. But I don't randomly declare I'm going to find security flaws in broken Ukrainian. If anything, simply get a friend fluent in both languages to translate.

(Also, I understand that language doesn't diminish the importance of the finds. However, in all sincerity, why should a random person not into security take this guy's work seriously if he can't spend 5 minutes to get a translator?)
1. Re:Can I make a request? by SilentChris · 2007-05-20 05:01 · Score: 1
  
  By the way, before anyone jumps on me, the line should read:
  
  * If you're going to make a declaration in English, please speak properly.
  
  I'm not above fault myself. In my defense, however, I'm not trying to get the attention of a worldwide audience.
2. Re:Can I make a request? by QuickFox · 2007-05-20 05:26 · Score: 1, Insightful
  
  How many foreign languages do you speak flawlessly?
  
  --
  Terrorists can't threaten a country's freedom and democracy. Only lawmakers and voters can do that.
3. Re:Can I make a request? by Timesprout · 2007-05-20 05:33 · Score: 4, Funny
  
  If you're going to make declaration in English
  SilentChris: English Learnings of Grammar for Make Declaration Glorious Nation of Ukraine.
  
  --
  Do not try to read the dupe, thats impossible. Instead, only try to realize the truth
  What truth?
  There is no dupe
4. Re:Can I make a request? by Anonymous Coward · 2007-05-20 05:47 · Score: 0
  
  "How many foreign languages do you speak flawlessly?"
  
  A whole bunch.
5. Re:Can I make a request? by SilentChris · 2007-05-20 06:14 · Score: 0
  
  I don't claim to speak any foreign languages. I also don't attempt to speak them. The same way I don't attempt to do brain surgery.
6. Re:Can I make a request? by Menkhaf · 2007-05-20 06:25 · Score: 3, Insightful
  
  Aww, shut the fuck up! Give the man a break. I'd be glad to read his broken English if he has something interesting to say, and it seems like he does. Just because he's not a native English speaker doesn't mean that you can't understand what he's trying to say. I'm not a native English speaker myself, but I do my best, and I'm pretty sure he did too.
  
  --
  A proud member of the Onion-in-Hand alliance
7. Re:Can I make a request? by QuickFox · 2007-05-20 07:02 · Score: 4, Insightful
  
  Brain surgery? What a comparison!
  
  You'll have an extremely hard time convincing us Europeans to follow your rule. Lots of people here know several languages and use them all frequently, without knowing them well enough to speak flawlessly. We use foreign languages both for business and for fun. You'll have a very hard time convincing us to stop doing this.
  
  In my opinion it would be a very boring world if people followed your rule. For example, I couldn't write this post. English isn't my first language, it's not even my second, so who knows what errors might sneak in without my noticing!?
  
  Maybe I'd better shut up now, in case I'm subjecting you to painful language errors without noticing.
  
  --
  Terrorists can't threaten a country's freedom and democracy. Only lawmakers and voters can do that.
8. Re:Can I make a request? by Snarkhunter · 2007-05-20 08:26 · Score: 0
  
  Hell, most native speakers of English don't even do it right. The word is "ya'll" people.
9. Re:Can I make a request? by asninn · 2007-05-20 09:05 · Score: 1
  
  Let's hear your Ukrainian, then! Or any foreign language, for that matter. Come on, show us what you can do!
  
  Oh, you don't speak any languages besides English? How unexpected.
  
  --
  butter the donkey
10. Re:Can I make a request? by SilentChris · 2007-05-20 10:36 · Score: 1
  
  I pointed out the mistake before you did. Do I win a prize?
  
  There's a big difference, by the way, between making a single mistake and pointing it out almost immediately in a lone Slashdot discussion (as I did), versus making multiple mistakes, while not bothering to correct any, in holding worldwide search engines for ransom.
  
  In either case, I applaud your thoroughness in not bothering to read the replies to my post before flinging one of yours on the wall. (I'll leave the examination of the semantics of my last sentence as an exercise for the reader).
11. Re:Can I make a request? by SilentChris · 2007-05-20 10:39 · Score: 1
  
  Nor do I attempt to speak them. As I mentioned, I don't attempt to engage in any exercise that I know will fail in. Not brain surgery, not holding search engines hostage, and not speaking Ukrainian.
12. Re:Can I make a request? by digital+bath · 2007-05-20 13:42 · Score: 1
  
  o rly?
  
  --
  find / -name "*.sig" | xargs rm
13. Re:Can I make a request? by Timesprout · 2007-05-20 14:03 · Score: 1
  
  I pointed out the mistake before you did. Do I win a prize?
  Well given the context of your error, you are a prize. A prize twat, but a prize none the less.
  There's a big difference, by the way, between making a single mistake and pointing it out almost immediately in a lone Slashdot discussion (as I did), versus making multiple mistakes, while not bothering to correct any, in holding worldwide search engines for ransom.
  Well given you criticize the quality of English from non native speakers and then proceed to make several grammatical errors (not all corrected) in your comments methinks the lady doth protest too much.
  In either case, I applaud your thoroughness in not bothering to read the replies to my post before flinging one of yours on the wall. (I'll leave the examination of the semantics of my last sentence as an exercise for the reader).
  I read your reply, having already noticed your error. Your comment was still fair game since having been so quick and offtopic to criticize others you then immediately displayed the very same failings you criticize. Priceless!
  
  --
  Do not try to read the dupe, thats impossible. Instead, only try to realize the truth
  What truth?
  There is no dupe
14. Re:Can I make a request? by Anonymous Coward · 2007-05-20 17:17 · Score: 0
  
  Nor do I attempt to speak them. As I mentioned, I don't attempt to engage in any exercise that I know will fail in. Not brain surgery, not holding search engines hostage, and not speaking Ukrainian. Only an American would compare speaking more than one language to something that only trained professionals should attempt like brain surgery.
15. Re:Can I make a request? by Samuraiasshole · 2007-05-20 18:09 · Score: 1
  
  Language is only a metaphor. Just add heurestic methods, discriminative bayesian, expectation maximization and other crap, that's called Google Translate, moron! Even not-so-fluent English speaker can become a president. So what's the cluck is for eh?
16. Re:Can I make a request? by Anonymous Coward · 2007-05-20 18:15 · Score: 0
  
  You really need a lobotomy, Chris.
17. Re:Can I make a request? by SilentChris · 2007-05-21 03:51 · Score: 1
  
  Who said I was American?
18. Re:Can I make a request? by zobier · 2007-05-21 15:51 · Score: 1
  
  Don't feed the trolls ppl. The guy speaks one language (not even flawlessly), you come along and make a damned fine effort with English as your nth language. Don't waste your time (unless you wanted to show of your linguistic prowess, in which case go right ahead).
  
  --
  Me lost me cookie at the disco.
All bugs are shallow by Anonymous Coward · 2007-05-20 05:02 · Score: 0

javascript is the bug. Input validation is no big deal for any programmer with a clue, perhaps that's also a bug :-o
definitions! by ThwartedEfforts · 2007-05-20 05:32 · Score: 2, Funny

The plan is to shake out cross-site scripting bugs in the most popular search engines (think Google, Yahoo, MSN, Ask.com)
Uh, thanks for explaining what a search engine is, in order to stave off the inevitable questions of "What's a search engine? Why do the editors think we know this?".
Small Banks by daeg · 2007-05-20 05:55 · Score: -1, Offtopic

Small banks and/or credit unions couldn't afford it.

Small banks are not currently the ones losing the most money. It's the big banks. Yet it would instantly be turned into a "Citi.bank offers a guaranteed secure URL -- does your credit union?" advertisement, further diminishing the marketshare of smaller, independent banks and credit unions. Remember, competition is GOOD, especially in the financial arena.

In the long term, it still solves absolutely nothing, but makes a pile of money for whoever controls .bank.
month of x, month of y by Anonymous Coward · 2007-05-20 05:55 · Score: 5, Funny

can we have a month of free, good porn? i spend all day looking at bugs, i could do with something else for a change...
1. Re:month of x, month of y by kirun · 2007-05-20 06:03 · Score: 3, Funny
  
  If you have an ipv6 connection, yes. Wait and see.
  
  --
  I'm scared of numbers that can't be written as a fraction. It's an irrational fear.
2. Re:month of x, month of y by Anonymous Coward · 2007-05-20 06:24 · Score: 1, Funny
  
  What about those of us who like bug porn, you insensitive clod!
Can *I* make a request? by cp.tar · 2007-05-20 06:49 · Score: 1

Mod parent way up.

--
Ignore this signature. By order.
No ads bug on Google! by cyberianpan · 2007-05-20 06:49 · Score: 4, Informative

Try this link. Google without any ads ? Ok we could configure our machines to bloack ads but I use different machines a lot, if that "backdoor" link becomes popular Google would be in trouble ! I picked up on this "bug" from here.

Yes strictly it isn't a bug in the sense that it harms the user but it is the same as a bug that allows you use a program for free.
1. Re:No ads bug on Google! by jesser · 2007-05-21 07:03 · Score: 1
  
  That also turns off the "Did you mean:" spelling suggestions, the image results when you search for something like "Firefox logo", and the map results when you search for something like a zip code or address. If you found a "full Google search" without ads, that would be more interesting.
  
  --
  The shareholder is always right.
Going to be something like Johnny's site? by Jugalator · 2007-05-20 06:50 · Score: 1

Hmm, I wonder if it's going to be something like this...?
http://johnny.ihackstuff.com/ghdb.php

--
Beware: In C++, your friends can see your privates!
MoAB sure helped by Anonymous Coward · 2007-05-20 06:59 · Score: 0

Based on how Apple completely turned around their company and the focus of their insecure product, I'm sure that the search compan... what? Apple didn't begin doing anything differently? Oh. How embarrassing.

Nevermind...
Month of the Slashdot bugs? by Anonymous Coward · 2007-05-20 07:21 · Score: 0

It's only a matter of time... I wonder how long 'till we have the Month of the Slashdot Bugs?
hmm by MadKad · 2007-05-20 07:48 · Score: 1

sounds like a load of pap to me, will have to wait and see.

--
Webmaster SEO Forum
Wrong bug - by HW_Hack · 2007-05-20 08:03 · Score: 4, Funny

Shouldn't June be the month or "June Bugs" ... damn things used to scare the hell out of me as a kid. And I don't even want to talk about Potato Bugs

--
Its not the years, its the mileage .....
1. Re: Wrong bug - by gidds · 2007-05-21 00:10 · Score: 1
  
  As long as we don't go straight to the Month of Stomach Bugs...
  
  --
  Ceterum censeo subscriptionem esse delendam.
Re:Well: No by rduke15 · 2007-05-20 08:42 · Score: 1

Because regexes work, that's why!

Of course not. Regexes do NOT work in Google searches. Try searching for sla.*dot, and you will find, as expected, things with "sla" and "dot". The closest to slashdot you may come across could be a sla.dot Word template if /. had such a thing, and was using Word, and had decided that typing slashdot was too long and that sla would do since you cannot have a Word template called "/.dot"...
"Bugs" by bendodge · 2007-05-20 09:49 · Score: 1

To let users of search engines and web community as a whole to understand all risks, which search engines bring to them. What impressive language skills our editors have!

--
The government can't save you.
Search Engines Should Support PCRE n/t by Wikipedia · 2007-05-20 18:55 · Score: -1

Search Engines Should Support PCRE n/t

--
P2P Anonymous Distributed Web Search: http://www.yacy.net/
Regexes don't work - it's wildcard word matching by ribuck · 2007-05-21 00:31 · Score: 1

It's not a regexp search. Google treats words joined by a dot as if they were enclosed in doublequotes (thereby triggering a phrase search), and treats an asterisk as matching any whole word (actually sometimes short phrases are matched too.

So your search for foo.*baz is the same as a search for "foo *" baz. Because the phrase "foo bar baz" is common on programming sites, you're likely to see "bar" bolded because it matches the asterisk.

--
Paid Q&A/Research