Cenzic 232 Patent
Paid Advertising
web application security lab

Month of Search Engine Bugs Comes To A Close

Mustlive wrote up a good overview on the end of the Month of Search Engine Bugs. Over 100 bugs were found, and less than half were fixed by the companies in question. That’s not exactly a great track record but in some cases it’s only been a few days. One thing I thought was interesting was that only two companies wrote to thank Mustlive for finding the bugs. One could argue that they don’t see this as a service, and more of an annoyance than anything, but especially in the case of the community sites, it’s better if whitehats find it than people who use it maliciously.

Now about the sites not fixing the holes. One thing I’d like to make clear from lots of personal experience is that it takes time to fix holes. No matter how big or small it cannot be done instantly. Even with the most agile sites, you still have to a) know about the hole b) make the change and c) test the change. In large sites it can take weeks to go through that process, and sometimes even longer. One of the best examples of that is publicly traded companies that do the bulk of their business through their websites. Sites like this often have quiet periods and aren’t allowed to make changes to their platform because it risks the stability of the sites during the busy season. So 40% of sites fixing these problems might sound appalling but sometimes there is a lot more than meets the eye. However, perhaps it’s time to change the status quo.

2 Responses to “Month of Search Engine Bugs Comes To A Close”

  1. hackathology Says:

    Absoultely right Rsnake. Time is a factor to consider when fixing bugs. But still, i think for those critical bugs, it best to fix it with utter urgency.

  2. MustLive Says:

    Guys.

    In total 104 vulnerabilities in search engines (44 fixed) it’s without taking into account redirectors holes (23 redirectors and all of them didn’t fixed yet).

    Note, that from three biggest search engines, only Yahoo and MSN fixed vulnerabilities (besides very quickly), but not Google. All mentioned vulnerabilities in Google (MOSEB-15, MOSEB-15 Bonus and MOSEB-20 Bonus) still not fixed.

    What are the problems Google has with it? Holes need to be fixed.