Indistinguishable from Jesse

I have compiled a list of security holes I have found in Mozilla and Google products. Most of the holes I've found in web sites could be found without much thinking by anyone who has read my security tips for web developers. The security holes I find in Mozilla tend to be more interesting and clever.

From: Google AdSense
To: Jesse Ruderman
Subject: Google AdSense Account Status
Date: Tue, 8 Mar 2005 21:56:17 -0800

Hello Jesse,

We regularly review sites in the AdSense program for compliance with our program policies.

While reviewing your account, we noticed that you are currently displaying Google ads in a manner that is not compliant with these policies. We've noted that you are in violation of the following program policies on www.squarefree.com/extensions/adbar:

- We've found that you're displaying Google ads in a manner that does not comply with our program policies. According to Google AdSense program policies, no Google ad or search box code may be pasted into any software application, even if it is modified to not show ads through your AdSense account. In order to comply with our policies, please remove the Google ad code from the software provided in your site.

Thank you for your understanding. Once you've made the necessary changes, please reply to this email so that we may review your account again.

We also suggest that you take the time to review our program policies (https://www.google.com/adsense/policies?hl=en_US) and Terms and Conditions (https://www.google.com/adsense/localized-terms?hl=en_US) to ensure that all of your pages are in compliance.

Sincerely,

Heraldo
The Google AdSense Team

• The maximum words per query has increased from 10 to 32.
• If you click a word in your query, it now takes you to answers.com instead of dictionary.com. Answers.com shows not only dictionary definitions but also thesaurus entries, encyclopedia and Wikipedia articles, and several other sources of information.

A search for np tree turns up a lot of hits for Joshua Tree National Park, with the phrase "National Park" bolded in page titles and snippets. This doesn't work for all searches involving the term np -- for example, it doesn't work for a search for np by itself. How new is this feature? What other acronyms does Google expand?

When I type "f" into Google Suggest, the first suggestion is "Firefox". Nice. Does that mean Firefox is the most common search starting with "f", or are there other factors that affect the ranking?

Google Desktop Search is useful enough for me to keep it installed, but I wouldn't say that it works well.

Functionality

• The file I'm looking for is often missing from Google Desktop Search's index. Even the filename is missing. I can't tell if it decided to skip the file because of its extension, contents, location, or changed-on date. Sometimes touching the file gets it indexed, but sometimes it doesn't.
• It "caches" old versions of files often enough to take up disk space unnecessarily, but not often enough that I can rely on it for a revision history when I break something.
• Since Google Desktop Search is slower than www.google.com, leaving "Show Desktop Search results on Google Web Search result pages" checked makes it slow down web searches.
• It gets much slower if I add num=100 to the URLs. A search with num=100 usually takes 3 seconds. This would be ok if it streamed the results, but I just don't see anything for 3 seconds. (There's no UI for adding num=100, so it's not really fair to complain.)

Security

• "Show Desktop Search results on Google Web Search result pages", which is checked by default, elevates any XSS hole in www.google.com to a read-my-files hole.
• Google Desktop Search uses an interesting scheme to mitigate XSS and CSRF holes: it includes a hash in every URL, even the root. The hash includes the path and sometimes includes the query parameters. If the hash is missing or doesn't match, it returns "Invalid Request".
• Clicking a link to an .exe file in search results runs it without any warning.
• The web site doesn't mention the current version number. The program doesn't have a "Check for upgrades" link, and if checks automatically, it makes no indication of that fact.
• Any web page can detect whether you have Google Desktop Search running by loading an image (or perhaps any URL) from http://127.0.0.1:4664/.
• The index is stored in a predictable location. "File upload holes", which let sites read your files if they know the filenames, are common in web browsers. File upload holes that require no user interaction are usually fixed quickly. But file upload holes that do require user interaction are not always fixed quickly. Two file upload holes requiring user interaction that I reported in 2000 are still present in IE and Firefox.

Search Keys lets you go to search results by pressing the number of the search result instead of clicking. You can press 1 to go to the first result, Shift+2 to open the second result in a new window, etc. It works with Google, Google News, Google Groups, Google Desktop Search, and del.icio.us.

Update Oct 16, 2004: The shortcut for opening in a new tab is now Alt+N on Windows and Mac, to avoid conflicting with the Ctrl+N shortcut for switching tabs. It is still Ctrl+N on Linux, which uses Alt+N for switching tabs.

Google recently introduced a mode called "Browse By Name", a cross between "I'm Feeling Lucky" and a normal Google search. "Browse By Name" acts like "I'm Feeling Lucky" if Google is certain that the first hit is correct, but otherwise returns a normal set of search results. If you use Internet Explorer with the Google Toolbar, "Browse By Name" is the default behavior for non-URLs typed into the address bar. The Google Toolbar shows a dialog the first time you use the feature.

By default, Firefox uses "I'm Feeling Lucky" for non-URLs typed into its address bar. You can change the behavior by going to about:config and setting keyword.URL to the appropriate URL and then restarting Firefox.