I Found a Google Bug!
Yes, I can now confirm that I have found a bug in Picasa Web Albums. Since the new “tagging” features are not validated - either client side or server side - you can use URL signficant characters in your tags. At first, I used a plus sign (+), which was URL decoded as a space. This lead me to try #, then ?, and finally &, which inexplicably - WORKS!
So I created a new tag D&psc=CONTACTS — and guess what? — it has some funny results. It searches all of your contacts’ photos for the letter D (which is common in default photo names, such as DSC001.jpg). Then I thought, “I wonder if I browse the JS source if I can find a command that is passed via URL GET variable that can be instantiated via an intentionally malcrafted tag?” I have posted on the Google USENET group and filed a bug through the standard complaint form. I consider this pretty big news, but I don’t want to submit it to digg or Slashdot or post on OSNews until someone has a chance to implement a fix, which is probably pretty trivial (URL encode the tag links) or fix it properly (validate tags on creation).
Anyway, I’m psyched, because I understand it’s pretty rare to find a bug in Google’s code.
If you liked this post, you might like these
- Bye-Bye Slashdot, Hello IG
- Picasa Evolves
- What I’m Hoping to See in PicasaWeb 2.0
- More About Picasa Web Albums
- Look At Me, I Am Cool Because I Am Valid
I don’t know if it’ll make news, but you’ve been dugg.
Cool. They pointed to the OSNews Staff Blog, which is cool because I know that server can withstand a digging. I would’ve loved to see if firsttube.com can though.