Sunday, August 19, 2012

The Bug Which Wasn't A Bug

Dear members and guests of InterN0T,

Today it's a little bit over 7 months since I reported a bug to Google ( and for old times sake, I wanted to try out the proof of concept. Primarily because I like seeing "old" bugs I found, not getting fixed as they make me laugh.

Of course the purpose of reporting a bug is hoping they do get fixed, but as Google deemed this a non-bug in January 2012 I thought they would never encode apostrophes, and therefore be ignorant of the potential threat this minor bug in encoding could pose.

Apparently they fixed this bug within the last 3 months or so, meaning they apparently did deem it as a bug, but where am I on the Hall of Fame? I don't care about the monetary reward, but I do care about credit. Back in January 2012, Google only encoded quotes (") and angle brackets (<, >), but now they also encode apostrophes ('), meaning they definitely fixed the bug / updated their sanitisation function.

This naturally makes me annoyed to see Google acting this way, first saying it's not a bug, then fixing it a couple of months later without any notification. Next time I find a bug I probably won't be so kind to inform them first. Instead I will probably drop it as a 0day, as a reminder of giving credit where it should be given.

I know this is a dead blog, used primarily for emergency purposes only if InterN0T is down, but posting an entry here about this bug, will probably get more attention from Google than if I post it on InterN0T.

Best regards,


  1. I know that feel. I have personally coded security patches for wordpress which are IN the wordpress core code which I was never given credit for. I have bugs in numerous "important" systems, binaries, and CMSs which I will never report because of less serious bugs being reported which were never patched or were silently patched and I didn't get proper attribution.

    I used to think No More Free Bugs was stupid, now I 100% support it.


  2. I agree that I felt "No More Free Bugs" wasn't the best idea at first either, but when you don't get any credit and they still fix the bugs, it becomes a more attractive idea. Thanks for your opinion connection, it's much appreciated.

    ~ MaXe

  3. This is somewhat out of topic, I am trying to contact you on intern0t but unable do so because im being redirected to google. Anyway, i would like to request your permission if its okay to add your site, xssor, on my site. though, i already did. i enclosed it in an iframe. I am always using it, so i think, its best to add it to my site. Please let me know if you are against this so i could remove it from my site, you can check it here:


    1. It's cool, only a few people use that tool anyway, as far as I know, even though for research and quick encoding, I use it too :-) Might have to update it sometime, as some of the attack vectors doesn't work like they once did because of browser changes.