« Hidden search results
Opera’s least popular feature comes to Firefox »

Hidden search results – answer

Michael Lefevre and mpt gave correct, but incomplete, answers to the question in my previous blog entry in their comments. Part of Michael's answer:

You'd have to work out which bits of closed bugs should be queryable (if you give any indication of a result based on, say, summary or comment queries, you could be disclosing important bits of the closed bug).

Indicating hidden results for a summary query would indeed disclose an important bit of the bug: its summary. First, the attacker would query for bugs with summaries starting with "a", "b", etc. Discovering that at least one hidden bug's summary begins with "b", the attacker would query for bugs whose summaries start with "ba", "bb", etc. After a few hundred more queries, the attacker would have the entire summary.

This entry was posted on Saturday, August 14th, 2004 at 8:53 pm and is filed under Google, Mozilla, Security. You can follow any responses to this entry through the RSS 2.0 feed. Both comments and pings are currently closed.

2 Responses to “Hidden search results – answer”

  1. Jeff Walden Says:
    August 15th, 2004 at 10:29 am

    Hmm, true.

    Now, if I’d read the previous entry closely enough to see that you weren’t just asking a rhetorical question, I *might* have been able to give it a try.

  2. Anonymous Says:
    August 18th, 2004 at 7:27 am

    If the search would assume that various bugzilla entries (like the summary) are blank, than this problem wouldn’t arise.