Month of Search Engines Bugs: totals
23:57 01.07.2007My project Month of Search Engines Bugs has finished and I’m summing up.
In the project took part 33 search engines (30 web engines and 3 local engines) of 19 vendors, some vendors have several engines. The list of project’s participants (in order of appearance): Meta, Yahoo, HotBot, Gigablast, MSN, Clusty, Yandex, Yandex.Server (local engine), Search Europe, Rambler, Ask.com, Ezilon, AltaVista, AltaVista local (local engine), MetaCrawler, Mamma, Google, Google Custom Search Engine (local engine), My Way, Lycos, Aport, Netscape Search, WebCrawler, Dogpile, AOL Search, My Search, My Web Search, LookSmart, DMOZ (Open Directory Project), InfoSpace, Euroseek, Kelkoo, Excite.
Altogether there were published 104 vulnerabilities in mentioned engines. Including Cross-Site Scripting (as XSS, and as HTML Injection), Full path disclosure, Content Spoofing and Information disclosure vulnerabilities. It is without taking into account redirectors in search engines (altogether there were published 23 redirectors).
Results of the projects: fixed 44 vulnerabilities from 104 (without taking into account redirectors). It is 42,31% fixed vulnerabilities. Owners of search engines have a place for improvements of their engines’ security.
Note, that from all search engines vendors only two thanked me (from 19 vendors of 33 search engines), for time that I spent on them, for searching vulnerabilities in their systems and for helping of improvement of their engines’ security (these were Rambler and Ezilon). But all others owners of search engines even didn’t think (were lazy) to do that. That is very unethical from their side and they need to work under their ethic and culture.
As I wrote in project description, I decided to define winners of Month of Search Engines Bugs in two nominations. During conducting of the project every visitor of the site could vote for the bug that he like with posting a comment in appropriate post. Today I counted up votes of visitors and I was announcing of the winners.
Results of voting:
Best bug of MOSEB MustLive Choice
Also draw attention at MOSEB-05 Bonus: Vulnerabilities at autos.msn.com, at both of these projects of MSN vulnerabilities based on Expressive comments space-hack filters bypass technique.
Best bug of MOSEB Visitors Choice
It is interesting vulnerability, besides it’s most dangerous bug of MOSEB.
The list of TOP5 bugs of MOSEB (by visitors choice):
- MOSEB-20 Bonus: Google dorks strikes back
- MOSEB-06: Vulnerabilities at clusty.com
- MOSEB-05: Vulnerability at shopping.msn.com
- MOSEB-15: Vulnerabilities at images.google.com
- MOSEB-10: Vulnerabilities at www.ask.com
I congratulate the winners Microsoft and Google! You make the best vulnerabilities in your engines . Others search engines developers need to learn from you. But all vendors need to work on improvement of their engines’ security.
Thanks for watching MOSEB project. Best regards. And attend to your security.
P.S.
By the way, before conducting of this project (MOSEB), I conducted one more interesting project of disclosing vulnerabilities at important sites. In January I was conducting presidents fiesta - I was publishing holes in sites of presidents (certainly I informed administration of these sites about the vulnerabilities).
- Vulnerability at the site of President of Ukraine
- Vulnerability at the site of President of Russia
- Vulnerability at the site of President of USA
- Vulnerability at the site of President of Byelorussia
- Vulnerability at the site of President of Slovakia
You can acquaint yourself with them also.
Вівторок, 03:11 03.07.2007
Note, that from three biggest search engines, only Yahoo and MSN fixed vulnerabilities (besides very quickly), but not Google. All mentioned vulnerabilities in Google (MOSEB-15, MOSEB-15 Bonus and MOSEB-20 Bonus) still not fixed.
What are the problems Google has with it? Holes need to be fixed.
Вівторок, 06:15 03.07.2007
Yeah, holes really needed to be fixed, immediately maybe. But to some large company, maybe they need time to do such fixes, especially those use their website for e-commerce purpose. Btw, this is the greatest things i ever see. Nice works man!
Вівторок, 15:37 03.07.2007
Thanks, zoiz.
I believe, that security of search engines (and Internet in whole) will some improve after this project.
Середа, 12:55 04.07.2007
Yeah, i really hope so. But that means that there will be more limitation in the future, but not really that bad too xP~
Середа, 18:06 04.07.2007
id like to know what serch engines thanked you so id know which ones to use
Середа, 21:02 04.07.2007
gabe
Like I wrote in my post, only two search engines (from all participants) thanked me. These are Rambler and Ezilon. These vendors are ethical and serious ones. Others vendors need to work under themselves.
Понеділок, 07:15 09.07.2007
cool share. thanks for it.
Середа, 12:30 01.08.2007
hi MustLive…i have trouble browsing your web. Is that i don understand the main language on your blog
so sad..
Середа, 16:33 01.08.2007
Zoiz, I can understand you.
Main language of the site is Ukrainian, so you need to know Ukrainian. And it is better to be familiar with it, to not skip all interesting that I post everyday
.
To help you with this I recommend you to use translation services (Ukrainian to English for example). Such as http://translate.meta.ua. So you will can translate (not too good, but it’s what we have) all interesting stuff.
Середа, 08:09 08.08.2007
Ok thanks Man!!
Середа, 16:44 08.08.2007
You are welcome
Середа, 09:08 19.09.2007
Month of Vista bugs next! Pleeaaaase~ *crosses fingers*
Середа, 16:35 19.09.2007
hopeful
I don’t use Vista, don’t interested in it and my work and site is about web security, so all months of bugs made by me are webappsec related only.
But, man, now I am planning new event
. As I wrote at my site, I will make event about bypassing a lot of CAPTCHAs
. So wait for official announcement.