Search Engine Security Concerns

Security issues with Lycos and Google came up in July. They aren't likely to impact many, if any, users, so don't get panicked. Here's a rundown on what happened.

At Lycos, the search engine was found to render some site descriptions as actual HTML code. Specifically, when it saw the characters < and > in a description, rather than render them as text, it was turning them into HTML commands, if they surrounded appropriate tags. For example, if this was in a description:

Lycos might render it as an actual input box. This meant that, potentially, someone could cause JavaScript to execute on your computer, causing windows to open or to do other things.

The security report filed about this makes it sound like it would be fairly easy for someone to get high ranking pages and then take advantage of users by manipulating descriptions in this way. The reality is that such pages are far more likely only to appear for obscure searches, making the value of this hack minimal.

Nevertheless, it should be something that is corrected. Despite having been reported to Lycos in mid-July, the problem was still happening yesterday.

"We are aware of this, and I was assured earlier this morning that our engineers are working on the fix immediately," said Terra Lycos spokesperson Kathy O'Reilly.

Meanwhile, Google's advancements to index dynamic content means that it was possible for crackers to get into DCShop shopping cart systems and perhaps find credit card information. Google has since removed links to dcshop.cgi URLs, once the potential problem was reported.

Search Engines HTML Parsing Vulnerability (Lycos), July 27, 2001

Security warning about the Lycos problem. Second URL has additional information.

Lycos Example Query

If the bug is still there, you'll see how an input form appears for this entry (don't worry. There's no security problem with viewing this example).

Google removes links to credit card loophole
Fairfax IT, July 26, 2001

More details about the problem at Google.