How Hackers (and others) can Hack Your Site with Google

From David Strom – Allow me to show you how to hack into your own Web site. You don’t need any specialized tools, and you don’t need any specialized skills either. All you need is a Web browser and the ability to enter the appropriate search syntax to Google your own site, or anybody else’s for that matter. It doesn’t take much time, and the payoffs could be huge: an intruder could easily obtain a copy of your most sensitive data in about the time it takes to read through this essay.
The trick is using Google’s search engine to look for specific terms, such as passwords, salary details, and customer details. The opportunities are enormous.
I wrote about this exploit, called Google Hacking, in an article for today’s New York Times Circuits section here.
It was a fun story to report, and I thought I would take a moment to
tell you about things that didn’t make it in there.
First and foremost is an updated version of a great book that O’Reilly
has of the same name.
The term really refers to a lot of different things. In my NYT
article, I talk about the dark side, about ways that bad guys can
uncover sensitive information, or pages that you might not realize are
available to the general public. But there are a lot of neat things
that you can do with Google that are much more benign and fun, and can
really stretch your ability to look for particular information. Here
is one that you probably didn’t know about: you can type in “13 miles
in kilometers” in Google’s search box and it will do the conversion
for you.
Back to the dark side though. I spoke to a lot of different people in
law enforcement, and one of the things that struck me during these
interviews is how hard it is to prosecute someone who has been using
Google to illegally use information. You need to have some tangible,
physical evidence and the very nature of the Google hack is that you
never leave any footprints on the target site. Still, I was impressed
with how technically savvy the police are, at least the ones that I
spoke to who understand these issues and aren’t taking these exploits
While these exploits have been known for many years among the IT
community, they aren’t well known for the general business and
consumer audience, which is why I wanted to write about them. Some
people may say, why give these people the information to cause
trouble? In my article, I actually show a sample piece of search
syntax that can bring up vulnerable sites, which probably is a first
for the Times.
I look at it differently: the bad guys already know about these
exploits, and the challenge will be to educate the general population,
especially the smaller businesses, that don’t always protect
themselves. This isn’t just leaving your back door open, it is putting
a 40 foot neon sign out front with a big arrow pointing out that
millions of valuables can be found in your top dresser drawer. And the
problem intensifies if someone can take over your site and use it to
launch their own mischief or worse, illegal activities.
The article mentions two Web sites that are great resources for more
technical folks. One is Johnny Long’s site, located here.
Long compiles hundreds of vulnerabilities that have already been
indexed by Google, and the site is full of great examples of search
terms that you can plug in to find passwords and default configuration
pages that will take you to some interesting places.
The other site is The chair of this industry organization
is Jeff Williams. He told me “most Web applications respond to attacks
quite happily, without detecting them and without taking any defensive
actions. Network security mechanisms like firewalls, intrusion
detection, and hardened operating systems can’t detect or prevent
these attacks because they don’t know anything about company’s custom
application code and how it works. And, unfortunately, the innocent
code doesn’t defend itself.”
Speaking of defending yourself, what can you do? First, make sure you
are secure. Williams says, “companies that don’t know whether their
applications are secure or not should start by verifying a few of them
to find out.” And if you have information that you don’t want Google
to index, remove it. Here is some information that Google publishes to
show site operators how they can remove their content from the search
index here.
Second, take security audits seriously, and do them often. Howard
Schmidt, the former federal cyber security chief, talks about how you
have to do security scans continuously. You can’t just rely on an
annual audit, or even a quarterly audit, because sites are organically
changing and new exploits are being uncovered every day.
Third, train your developers to be aware of these and other common
exploits, and reserve some funding for security assessments as part of
all contracting projects you do in the future. Use the sample legal
contract language from when you have to hire out for help,
and also take a look at their tutorials to harden your site.
Fourth, don’t just think that Google hacks are the only story. There
are plenty of other ways to get information from Web sites. Read my
white paper for Breach Security about SQL injection if you haven’t
already, to see how easy this exploit is here.
Finally, keep what Long told me in mind: “Google hacking, cross-site
scripting and SQL injection vulnerabilities have been present in every
Web site and application I have audited. Every single one. Bear in
mind that some Google-hacking style vulnerabilities are more revealing
than others, but it is a pervasive threat.”