Google Hacking Week : Grab juicy info with the right search query.
Feb 28So we showed you how powerful a good Google search could be this week. Time to turn to the dark side and give you some examples of how hackers can use these skills to get to some pretty scary things. To create a dangerous situation where the wrong information can fall into the wrong hands, you need 2 ingredients. Somebody who is stupid enough to put it online, and somebody who is clever enough to find it. Below are some pretty creepy examples of how some Google dorks spill some information that was supposed to be private.
Some juicy searches.
Some people write down their domain registration information in a .doc file .. and then put it on the internet. Whoever can put two and two together .. can steal their domain.
-
filetype:docx Domain Registrar $user $pass
How about finding product licence files for the Avast antivirus program ? Some of them are just up for grabs.
-
filetype:avastlic
How about we go searching for a randomly published list of phonenumbers.
- allinurl:phonenumbers filetype:xls
Search for random resume’s that candidates (or their employees) put online.
- inurl:Curriculum Vitae filetype:pdf
How about some “Confidential Salary” documents that people put online. (we stood in awe at the first hit )
- ext:(doc | pdf | xls | txt | ps | rtf | odt | sxw | psw | ppt | pps | xml) (intext:confidential salary | intext:”budget approved”) inurl:confidential
Or take a peek at people’s random downloaded hotmail emails.
- inurl:getmsg.html intitle:hotmail
Its a little bit of history .. but how about a random netscape browser history file. (we giggled at THIS one)
- inurl:netscape.hst
And when combining this generic search query for root directories of certain FTP servers with a certain domain .. you can find out a lot. If you use it as listed below .. its just an interesting way to browse random file directories.
- intitle:”FTP root at”
Msn messenger does not exist anymore, but there are plenty of contact lists well stocked with juicy email addresses up for grabs.
- filetype:ctt “msn”
And the list goes on and on and on. Now, standing by themselves the Google searches above are quite harmless. They are too generic to do any harm and are only good for a chuckle. The dangerous part begins when these queries are targeted at a certain person, site our domain. Armed with ONLY their browser and an internet connection, the wrong people can find out all the right things they need to know to make you / your company / your website have a really bad day. Knowledge is power and it is also ambivalent. It can be used for good and for evil… So are you SURE that there is not digital flotsam with your username/passwords floating around on the internet ? Because once Google indexes it .. anybody with the right skills can find it.
Related Posts
Google Sync: your bookmarks everywhere.
Jun 09Google Sync : Your house is my house.
Just got up and running this morning and only 5 seconds into my morning surf-wave when already found my little snippet of news that kind of makes my day. Google has just released a firefox extension called 'browsersync' that lets you synchronies your bookmarks between several different browsers (at work, at home etc). This is not such big news , cause services like this existed before ( you had the bookmarks in your google toolbar , you had del.icio.us ).. Plenty of places to store your bookmarks… but not very convenient. What if you already HAD an extensive list of bookmarks, you had to order them , categorize them and so on. Not a very easy thing to do. And I don’t really like third party places where you have to manage your bookmarks. All in the comfort of my own home please. Now Google has come up with a cool FIREFOX extension that lets you sync UP your websites tot the Google servers, and Sync them down again as you logon to a different computer. Meanwhile the bookmarks are stored localy on both computers… And a copy is stored on the Google servers.
Whats your flavor .. tell me whats your flavor.
What a great marketing trick. Google now exactly knows what your ‘favorites’ are and can use this to send you targeted adds and searches. Their motto is “ Do no Evil” and so far , Google has been a pretty good boy .. But what if all that information that Google has ( favourites, Gmail, search information) is ever put to “not so good use”. Google is sure as hell gaining a lot of information this way , and for convenience sake we are quite willing to give up some privacy. But on the other hand : What if this leeds to targeted adding ? It would be a bad thing , but also a good thing. What if the spam you get in your inbox anyway .. is more directed at your interests. Instead of college diploma”s and .. lets call them “ego-enlargements” … you would get spam about tech stuff, Barbie dolls, or when your favorite rerun of Family Ties is on TV. It just shows that information can be used in different ways and that good and bad … depends on where you stand. Before I start sounding like Obi One Kenoby .. I better sign off !
