SEO News
Search

Search Engine Security Concerns

author-default
by , Comments

Security issues with Lycos and Google came up in July. They aren't likely to impact many, if any, users, so don't get panicked. Here's a rundown on what happened.

At Lycos, the search engine was found to render some site descriptions as actual HTML code. Specifically, when it saw the characters < and > in a description, rather than render them as text, it was turning them into HTML commands, if they surrounded appropriate tags. For example, if this was in a description:

Lycos might render it as an actual input box. This meant that, potentially, someone could cause JavaScript to execute on your computer, causing windows to open or to do other things.

The security report filed about this makes it sound like it would be fairly easy for someone to get high ranking pages and then take advantage of users by manipulating descriptions in this way. The reality is that such pages are far more likely only to appear for obscure searches, making the value of this hack minimal.

Nevertheless, it should be something that is corrected. Despite having been reported to Lycos in mid-July, the problem was still happening yesterday.

"We are aware of this, and I was assured earlier this morning that our engineers are working on the fix immediately," said Terra Lycos spokesperson Kathy O'Reilly.

Meanwhile, Google's advancements to index dynamic content means that it was possible for crackers to get into DCShop shopping cart systems and perhaps find credit card information. Google has since removed links to dcshop.cgi URLs, once the potential problem was reported.

Search Engines HTML Parsing Vulnerability (Lycos)
SecuriTeam.com, July 27, 2001
http://www.securiteam.com/securitynews/5PP0L2A4UC.html
http://www.sentry-labs.com/files/lycos0401071601.txt

Security warning about the Lycos problem. Second URL has additional information.

Lycos Example Query
http://search.lycos.com/main/?query=www.digital-ca.com&rd=y

If the bug is still there, you'll see how an input form appears for this entry (don't worry. There's no security problem with viewing this example).

Google removes links to credit card loophole
Fairfax IT, July 26, 2001
http://it.mycareer.com.au/breaking/2001/07/26/FFXB87FPLPC.html

More details about the problem at Google.


ClickZ Live New York What's New for 2015?
You spoke, we listened! ClickZ Live New York (Mar 30-Apr 1) is back with a brand new streamlined agenda. Don't miss the latest digital marketing tips, tricks and tools that will make you re-think your strategy and revolutionize your marketing campaigns. Super Saver Rates are available now. Register today!

Recommend this story

comments powered by Disqus