Monday, July 02, 2007

30 days, 104 Search Engine Vulnerabilities

MustLive completed his Month of Search Engines Bugs (MOSEB) project and generated some interesting results. First let’s take a look at the targets, the who’s who of search:

Meta, Yahoo, HotBot, Gigablast, MSN, Clusty, Yandex, Yandex.Server (local engine), Search Europe, Rambler,, Ezilon, AltaVista, AltaVista local (local engine), MetaCrawler, Mamma, Google, Google Custom Search Engine (local engine), My Way, Lycos, Aport, Netscape Search, WebCrawler, Dogpile, AOL Search, My Search, My Web Search, LookSmart, DMOZ (Open Directory Project), InfoSpace, Euroseek, Kelkoo, Excite.

Results of the projects: fixed 44 vulnerabilities from 104.

I’m actually a little impressed that so many got fixed so fast. Is this a result of diligence on the part of the search engine vendor? For some I’m sure it was. For others, did the risk of negative press speed remediation? More than likely. I guess Full-Disclosure will live on for web security, just maybe not so much in the US. Ukrainians certainly don’t seem to be deterred.


Anonymous said...


In total 104 vulnerabilities in search engines (44 fixed) it's without taking into account redirectors holes (23 redirectors and all of them didn't fixed yet).

Note, that from three biggest search engines, only Yahoo and MSN fixed vulnerabilities (besides very quickly), but not Google. All mentioned vulnerabilities in Google (MOSEB-15, MOSEB-15 Bonus and MOSEB-20 Bonus) still not fixed.

What are the problems Google has with it? Holes need to be fixed.

Jeremiah Grossman said...

> What are the problems Google has with it?

I dunno, ask Corey. Was he notified?

Anonymous said...

> I dunno, ask Corey. Was he notified?
Do you mean Corey Vickrey?

Man, I wrote to all vendors participants of my project (and to Google also) in the beginning of June. To inform them that they are taking part in my project and they need to watch my site and fix all disclosed holes.

I also write a letter to Google (and a letter to Microsoft) today to congratulate with winning in nomination of my project :-). And also remind Google, that these holes need to be fixed. So I hope Google will fix them.


Jeremiah, as you remember (I hope you don't forget :-) ), in last year you was one of Google's favorite security guys (

So you can try to contact Google by yourself (Corey for example) and remind them, that they must fixed these vulns.

Jeremiah Grossman said...

Cory Altheide, Incident Response Lead at Google

He's the guy that needs to know.

I'll send him an email and see what he says....