Good catch! Also studied Google's 404 pages. Seems like they have unified all bu... | Hacker News

Hacker News new | past | comments | ask | show | jobs | submit

login

carvalho on May 18, 2017 | parent | context | favorite | on: Google Bug Bounty – The $5k Error Page

Good catch! Also studied Google's 404 pages. Seems like they have unified all but a few of them. One of them I found was vulnerable to old utf-7 injection (specified customizable page title before character encoding) and another was vulnerable to XSS. Got a bounty for the XSS one, the utf-7 one targeted too old browsers, out of scope for the program (I do wonder how many IE6 users Google sees).

joatmon-snoo on May 18, 2017 [–]

It's a very low percentage, somewhere in the low single digits (if not an even lower order of magnitude). Still high enough for it to be worth paying engineers to maintain the backwards compatibility :)

Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact