June Will Be Month of Search Engine Bugs

De Garmo writes "A Ukranian hacker known as "MustLive" has announced plans for a Month of Search Engine Bugs project in June 2007. The plan is to shake out cross-site scripting bugs in the most popular search engines (think Google, Yahoo, MSN, Ask.com) and publish details on these flaws. From the article: "[The] purpose of this Month of Bugs is a demonstration of real state with security in search engines, which are the most popular sites in Internet. To let users of search engines and web community as a whole to understand all risks, which search engines bring to them. And also to draw attention of search engines' owners to security issues of their sites.""

i wonder...

[Anonymous Coward]

will we eventually be able to google for these bugs?

A few to get started with

[thornmaker]

Here's a few to get off the ground with: http://sla.ckers.org/forum/read.php?3,44,page=47 [ckers.org]

Re:

[baadger]

Yet another reiteration of why you should use NoScript (or similar controls in your browser of choice) to only enable javascript on sites (preferably with one click) when they aren't working, and why more sites should be specifying their need for Javascript.

Re:

[klept]

Ok I assume these search engines are to be used in place of the more popular search engines during bug month. Do all of these search engines have their own developed algorithms and other programming procedures for search? Or are they using Google's or some other popular search engine's algorithm for their search. As am sure you know, many search engines use a more popular se's alg. Think Yahoo was using Google's at one time. If all of these se's have their own independent algorithms, they will very useful

Re:

[klept]

Two things forget to mention One is thank you. The other is that I could be completely wrong lol about the search algorithm having anything to do with xss.

Well

[TheRealMindChild]

Well, if it is "bugs" you are looking for (not just security exploits), here is one:

Try searching google for "\\.\"

You Windows driver programmers should know what it is about.

Re:

[binaryspiral]

Try searching google for "\\.\"

You Windows driver programmers should know what it is about.

http://www.google.com/search?q=%22%5C%5C.%5C%22 [google.com]

Brings up nothing, but I'm interested to read what you find.

Re:Well

[zaajats]

I'd say the response is exactly the same as with "(" [google.com], meaning the special sequence is not special after all and that google simply ignores all-symbol searches. Or something.

Re:

[Anonymous Coward]

Submitting a completely blank search box just sends you to the google homepage.
http://www.google.com/search?q= [google.com]

Searching for something that returns no hits gives you a helpful message
http://www.google.com/search?q=ncjkxhsk%5Caflhjsdk a [google.com]

But searching for only symbols gives you a nice blank page!
http://www.google.com/search?q=()()) [google.com]

Fun and games with google!

Re:

[Jeff DeMaagd]

I think it's annoying that Google removes symbols, and I think other search engines do too. It makes doing searches for specific things very hard. Heck "10-200" (in quotes) won't give you only exact matches, it will return any page with 10 and 100 in it rather than the specific string. Advanced mode exact string search didn't do me any good last I tried it. It's important for looking up very specific things, like model numbers or part numbers and any thing that doesn't match exactly isn't relevant to th

Re:

[zaajats]

I think it's annoying that Google removes symbols...

I totally agree, but also believe this is a case where the technical difficulty of fixing it actually is significant - in addition to creating indexes of single words (and numbers) they'd also have to index all punctuation etc (in addition to word order, which they already do)

Re:

[jez9999]

Indeed. Try this [google.com].

Re:

[highonlife]

Here is something that should be more of interest.

Search for ".com" in google.
http://www.google.com/search?hl=en&q=.com&btnG=Goo gle+Search&meta= [google.com]
The first site found is microsoft, the second site found is yahoo. Now if i understand the pagerank system correctly, and i find this reasonably hard to believe, this means that more people link to yahoo and microsoft than google itself? Further down the page you find amazon, and even ask.com
On the other hand, i think this is reasonable proof

Re:

[caffeinemessiah]

Not necessarily. There's a good chance the "." is being stripped, so what you're searching for is "com". Microsoft Component Object Module (COM) comes up first, but that's not surprising because it's been around for years.

Re:

[highonlife]

I would normally agree with you, but how does that justify yahoo at number two?.
The only reason yahoo is at number two (if i understand the highlighting correctly) is because it is catching the ".com" in yahoo.com.
If fact, (i dont know what they call these ...sublinks...the ones that are tabbed away and below the main link) the sublink to the microsoft link (which is about COM at number 1) is to microsoft.com, again found by the *drum roll please* ".com" in "microsoft.com".

If anyone makes a "com again"

Re:

[selbk]

.com again?

Re:

[thzinc]

Actually, you should search for site:com [google.com]...

No ads bug on Google!

[cyberianpan]

Try this link [google.com]. Google without any ads ? Ok we could configure our machines to bloack ads but I use different machines a lot, if that "backdoor" link becomes popular Google would be in trouble ! I picked up on this "bug" from here [blogspot.com].

Yes strictly it isn't a bug in the sense that it harms the user but it is the same as a bug that allows you use a program for free.

Re:

[jesser]

That also turns off the "Did you mean:" spelling suggestions, the image results when you search for something like "Firefox logo", and the map results when you search for something like a zip code or address. If you found a "full Google search" without ads, that would be more interesting.

Re:

[Draykwing]

You know, some other people have been suggesting that Google removes symbols from their searches, but I don't find this to be true. As an example, google (with quotes) "foo.*baz" . You will notice that bar is also bolded , as just as if it was (gasp) a search term. Why? Because regexes work, that's why!

Re:Well: No

[rduke15]

Because regexes work, that's why!

Of course not. Regexes do NOT work in Google searches. Try searching for sla.*dot, and you will find, as expected, things with "sla" and "dot". The closest to slashdot you may come across could be a sla.dot Word template if /. had such a thing, and was using Word, and had decided that typing slashdot was too long and that sla would do since you cannot have a Word template called "/.dot"...

Regexes don't work - it's wildcard word matching

[ribuck]

It's not a regexp search. Google treats words joined by a dot as if they were enclosed in doublequotes (thereby triggering a phrase search), and treats an asterisk as matching any whole word (actually sometimes short phrases are matched too.

So your search for foo.*baz is the same as a search for "foo *" baz. Because the phrase "foo bar baz" is common on programming sites, you're likely to see "bar" bolded because it matches the asterisk.

Re:

[SilentChris]

By the way, before anyone jumps on me, the line should read:

* If you're going to make a declaration in English, please speak properly.

I'm not above fault myself. In my defense, however, I'm not trying to get the attention of a worldwide audience.

Re:

[Samuraiasshole]

Language is only a metaphor. Just add heurestic methods, discriminative bayesian, expectation maximization and other crap, that's called Google Translate, moron! Even not-so-fluent English speaker can become a president. So what's the cluck is for eh?

Re:

[QuickFox]

How many foreign languages do you speak flawlessly?

Re:

[SilentChris]

I don't claim to speak any foreign languages. I also don't attempt to speak them. The same way I don't attempt to do brain surgery.

Re:Can I make a request?

[QuickFox]

Brain surgery? What a comparison!

You'll have an extremely hard time convincing us Europeans to follow your rule. Lots of people here know several languages and use them all frequently, without knowing them well enough to speak flawlessly. We use foreign languages both for business and for fun. You'll have a very hard time convincing us to stop doing this.

In my opinion it would be a very boring world if people followed your rule. For example, I couldn't write this post. English isn't my first language, it's not even my second, so who knows what errors might sneak in without my noticing!?

Maybe I'd better shut up now, in case I'm subjecting you to painful language errors without noticing.

Re:

[zobier]

Don't feed the trolls ppl. The guy speaks one language (not even flawlessly), you come along and make a damned fine effort with English as your nth language. Don't waste your time (unless you wanted to show of your linguistic prowess, in which case go right ahead).

Re:Can I make a request?

[Timesprout]

If you're going to make declaration in English

SilentChris: English Learnings of Grammar for Make Declaration Glorious Nation of Ukraine.

Can *I* make a request?

[cp.tar]

Mod parent way up.

Re:

[SilentChris]

I pointed out the mistake before you did. Do I win a prize?

There's a big difference, by the way, between making a single mistake and pointing it out almost immediately in a lone Slashdot discussion (as I did), versus making multiple mistakes, while not bothering to correct any, in holding worldwide search engines for ransom.

In either case, I applaud your thoroughness in not bothering to read the replies to my post before flinging one of yours on the wall. (I'll leave the examination of the semantics of my

Re:

[Timesprout]

I pointed out the mistake before you did. Do I win a prize?

Well given the context of your error, you are a prize. A prize twat, but a prize none the less.

There's a big difference, by the way, between making a single mistake and pointing it out almost immediately in a lone Slashdot discussion (as I did), versus making multiple mistakes, while not bothering to correct any, in holding worldwide search engines for ransom.

Well given you criticize the quality of English from non native speakers and then proce

Re:

[Menkhaf]

Aww, shut the fuck up! Give the man a break. I'd be glad to read his broken English if he has something interesting to say, and it seems like he does. Just because he's not a native English speaker doesn't mean that you can't understand what he's trying to say. I'm not a native English speaker myself, but I do my best, and I'm pretty sure he did too.

Re:

[digital bath]

o rly? [wikipedia.org]

Re:

[asninn]

Let's hear your Ukrainian, then! Or any foreign language, for that matter. Come on, show us what you can do!

Oh, you don't speak any languages besides English? How unexpected.

Re:

[SilentChris]

Nor do I attempt to speak them. As I mentioned, I don't attempt to engage in any exercise that I know will fail in. Not brain surgery, not holding search engines hostage, and not speaking Ukrainian.

Re:

[SilentChris]

Who said I was American?

definitions!

[ThwartedEfforts]

The plan is to shake out cross-site scripting bugs in the most popular search engines (think Google, Yahoo, MSN, Ask.com)

Uh, thanks for explaining what a search engine is, in order to stave off the inevitable questions of "What's a search engine? Why do the editors think we know this?".

month of x, month of y

[Anonymous Coward]

can we have a month of free, good porn? i spend all day looking at bugs, i could do with something else for a change...

Re:

[kirun]

If you have an ipv6 connection, yes. Wait and see.

Re:

[Anonymous Coward]

What about those of us who like bug porn, you insensitive clod!

Going to be something like Johnny's site?

[Jugalator]

Hmm, I wonder if it's going to be something like this...?
http://johnny.ihackstuff.com/ghdb.php [ihackstuff.com]

hmm

[MadKad]

sounds like a load of pap to me, will have to wait and see.

Wrong bug -

[HW_Hack]

Shouldn't June be the month or "June Bugs" ... damn things used to scare the hell out of me as a kid. And I don't even want to talk about Potato Bugs

Re: Wrong bug -

[gidds]

As long as we don't go straight to the Month of Stomach Bugs...

"Bugs"

[bendodge]

To let users of search engines and web community as a whole to understand all risks, which search engines bring to them.

What impressive language skills our editors have!