Security Basics mailing list archives

Re: How does Google get confidential URL-strings?

From: Jeffrey Walton <noloader () gmail com>
Date: Mon, 1 Jun 2009 14:31:12 -0400

 Interestingly Google lists only three user accounts while the website
 has about 10’000 registered users. I was thinking about two
 possibilities:
 - The web applicaiton somehow leaks this URL to the Google search spider
 - The affected users somehow publish their browser history on the web
 (probably though malware?)

Disgruntled or former employees?

 By the way, the Google query, that lead to the problematic entries
 looked as follows: site:mydomain.com inurl:password inurl:user.

Google Hacking is a good book :)

Jeff

On 5/29/09, Joe <bitshield () gmail com> wrote:

Hello guys

 I was recently confronted with the problem, where using Google-Hacking
 techniques I was able to find entries that point to my employer’s
 website while having confidential username and password parameters in
 the URL. Using this URL listed as Google’s search result everyone
 could access personalized accounts on this website.

 I see two kinds of problems here.

 First, the web application should not put confidential parameters into
 the URL. This is the GET/POST discussion which is clear to me.

 Second, even if a web application puts these parameters into the URL I
 wonder how his URL gets indexed by Google. Does anyone have a clue how
 this can happen?

 Interestingly Google lists only three user accounts while the website
 has about 10’000 registered users. I was thinking about two
 possibilities:
 - The web applicaiton somehow leaks this URL to the Google search spider
 - The affected users somehow publish their browser history on the web
 (probably though malware?)

 It would be interested if someone has Ideas on how the second problem
 can be explained.

 By the way, the Google query, that lead to the problematic entries
 looked as follows: site:mydomain.com inurl:password inurl:user.

 Any ideas?

 Regards
 Joe

[SNIP]


------------------------------------------------------------------------
This list is sponsored by: InfoSec Institute

Need to pass the CISSP? InfoSec Institute's CISSP Boot Camp in both Instructor-Led and Online formats is the most 
concentrated exam prep available. Comprehensive course materials and an expert instructor means you pass the exam. Gain 
a laser like insight into what is covered on the exam, with zero fluff!

http://www.infosecinstitute.com/courses/cissp_bootcamp_training.html
------------------------------------------------------------------------

Current thread:

How does Google get confidential URL-strings? Joe (Jun 01)
- Re: How does Google get confidential URL-strings? Jeffrey Walton (Jun 01)
- Re: How does Google get confidential URL-strings? Kurt Buff (Jun 01)
  - Re: How does Google get confidential URL-strings? Joe (Jun 03)
    - Re: How does Google get confidential URL-strings? Kurt Buff (Jun 03)
    - Re: How does Google get confidential URL-strings? Jeff MacDonald (Jun 03)
- Re: How does Google get confidential URL-strings? τ∂υƒιφ * (Jun 04)
- Message not available
  - Re: How does Google get confidential URL-strings? Joe (Jun 08)