I Found a Google Bug!

Yes, I can now confirm that I have found a bug in Picasa Web Albums. Since the new “tagging” features are not validated – either client side or server side – you can use URL signficant characters in your tags. At first, I used a plus sign (+), which was URL decoded as a space. This lead me to try #, then ?, and finally &, which inexplicably – WORKS!

So I created a new tag D&psc=CONTACTS — and guess what? — it has some funny results. It searches all of your contacts’ photos for the letter D (which is common in default photo names, such as DSC001.jpg). Then I thought, “I wonder if I browse the JS source if I can find a command that is passed via URL GET variable that can be instantiated via an intentionally malcrafted tag?” I have posted on the Google USENET group and filed a bug through the standard complaint form. I consider this pretty big news, but I don’t want to submit it to digg or Slashdot or post on OSNews until someone has a chance to implement a fix, which is probably pretty trivial (URL encode the tag links) or fix it properly (validate tags on creation).

Anyway, I’m psyched, because I understand it’s pretty rare to find a bug in Google’s code.

2 Replies to “I Found a Google Bug!”

  1. Cool. They pointed to the OSNews Staff Blog, which is cool because I know that server can withstand a digging. I would’ve loved to see if firsttube.com can though.

Comments are closed.