Cenzic 232 Patent
Paid Advertising
web application security lab

Month of Search Engine Bugs

I got an email from Mustlive about a new project he is starting up next month. In June, he’s kicking off the Month of Search Engine Bugs. From the website:

Purpose of this Month of Bugs is a demonstration of real state with security in search engines, which are the most popular sites in Internet. To let users of search engines and web community as a whole to understand all risks, which search engines bring to them. And also to draw attention of search engines’ owners to security issues of their sites.

Search engines are one of my favorite things to pick on myself, so I’ll be interested to see what he comes up with. Most of us are all familiar with the Google dorks (queries used to find vulnerable machines) but this is different. One thing that wasn’t made clear is if this is search engine only, or the portals or if it is specifically isolated towards security or not, but it should be interesting to watch.

6 Responses to “Month of Search Engine Bugs”

  1. John @ NIST.org Says:

    Would be interested to know if he’s talking about just the big well known search engines or smaller country specific one’s. Hope he starts throwing out some teasers soon.

  2. Awesome AnDrEw Says:

    Is this only going after larger scale search engines like Yahoo!, Google, Altavista, et cetera, or is this open to smaller scale search engines too? Do Porn gallery search engines count, and will this allow for CSRF? I’m always interested in contributing to the list of vulnerwbilities found on any set of sites.

  3. Wladimir Palant Says:

    AnDrEw, the site says: “During the month everyday will be publish vulnerabilities in most popular search engines of the world.” That sounds like Google, Yahoo and MSN to me (Altavista doesn’t make the list).

    If this will include the portals, that should be boring - finding 30 bugs in Yahoo is easy. If it is search only - well, might be worth watching.

  4. MustLive Says:

    John @ NIST.org

    I regularly post teasers (the holes in search engines) at my site - search engines (SE) are frequent guests in my news :-). So there were a lot of such teasers before. And now I decided to make a entire Month of Bugs project with vulnerabilities in SE.

    if he’s talking about just the big well known search engines or smaller country specific one’s.

    Man, it is a whole month of bugs in SE. So it will be 30 engines which take part in my project. And it need to be different SE by my plan. Also I plan to post bonus records in some days with additional holes in some engines (of that days), but there will be different SE everyday. It will be really the World Bugs Show.

    Also you need understand that USA is not a world and vice versa. So I’ll not post about USA only SE (or any other country), but there will be many engines from different countries. For this reason there will be country specific SE also (only the most popular one’s). The list of top popular SE in the whole world is short, so I must add some smaller engines to the list, as I do the world-wide project.

    And now I am still looking for participants (engines) for my project ;-). If somebody has ideas feel free to contact me by email.

  5. MustLive Says:

    Is this only going after larger scale search engines like Yahoo!, Google, Altavista, et cetera, or is this open to smaller scale search engines too?

    Awesome AnDrEw

    There will be different engines in my project (and large and to so large, like I told in previous post), but it will be search engines (SE). And it will be general purposes SE, not porn SE :-) (and you can use Google for searching for porn, every SE can be used for many purposes). Also I plan post not just about global search engines, but also about local search engines which global SE vendors offer for webmasters.

    CSRF is also welcome to MOSEB project (maybe as bonus posts), but for now I concentrating on XSS.

    And I am planning to post only vulnerabilities which was found by me. I have a lot of my own holes and if I need I can find holes for the project by myself (no help needed in this case). So there will be no such situation, like in MOMBY project, where guys used holes which found by other people. As I said I have already a lot of interesting holes in SE. But if somebody has some interesting hole in any popular SE feel free to contact me, and maybe that hole will be published (with full credits) as a bonus bug or even main bug of the day.

  6. MustLive Says:

    Wladimir Palant

    There will be Google, Yahoo and MSN in my project. But also Altavista (I have holes for this engine) and many others. By the plan I’ll post about different SE everyday (not concentrating on any single engine - anyone can do it by himself, if he like one SE to much), so I’ll post holes in many engines (the most popular) from different countries (like I told before).

    So I need to select these 30 engines. For now I am still looking for participants (SE) for MOSEB. I already chose part of the list (it will be one Ukrainian SE, some Russian SE and some USA world-famous SE), but I still looking for engines. If somebody has propositions feel free to contact me.

    I need a statistic of popularity of SE in the world. I recently looked at bigmir statistic (about most popular SE in Ukraine) and spylog statistic (about most popular SE in Russia) and Hitwise statistic (about most popular SE in US and UK, but it is very small statistic). But I didn’t find anything new, I already took the top SE from these statistics to my project. So I am still looking for detailed statistic and for participants for MOSEB.

    If this will include the portals, that should be boring - finding 30 bugs in Yahoo is easy. If it is search only - well, might be worth watching.

    Wladimir, like I planed (but I forgot to write it in the announcement, but I’d maybe write it in the detailed description of the project) it will be holes in SE and all their services (because every popular SE is a portal and has many services). But I understand your position and I am trying to make as less boring and as more interesting project as possible.

    So I am trying to concentrate only at SE holes - only holes in search functions. Every SE has many different searches (main, images, news, etc.), so it will be holes in any of searches which some SE provide. And so it will be mostly holes in SE, not portals. I have some cases, where I chose SE for the project and have only hole in some service, not in search (and mainly it is because SE has very tough security in main search). But every such case is under discussion. So it is possible to make a nice list of SE for the project with interesting holes. And I’ll do my best to make MOSEB project interesting for everyone.

    P.S.

    Guys, I am also looking for one person (with solid knowledge of English) who will help me with English texts. All work will be doing by me, so it will only a little help (like some spell-checking and grammar-checking). If any of you interested, please contact me (by email).