Security Basics mailing list archives
Re: How does Google get confidential URL-strings?
From: Kurt Buff <kurt.buff () gmail com>
Date: Tue, 2 Jun 2009 14:05:40 -0700
Dunno. Those queries got out to Google *somehow* - where did Google find them? That's your best starting point. Kurt On Tue, Jun 2, 2009 at 12:47, Joe <bitshield () gmail com> wrote:
I will check that out. However, would this be a plausible solution? On Mon, Jun 1, 2009 at 9:08 PM, Kurt Buff <kurt.buff () gmail com> wrote:Just a thought... Do those three users have google desktop installed? On Fri, May 29, 2009 at 00:23, Joe <bitshield () gmail com> wrote:Hello guys I was recently confronted with the problem, where using Google-Hacking techniques I was able to find entries that point to my employer’s website while having confidential username and password parameters in the URL. Using this URL listed as Google’s search result everyone could access personalized accounts on this website. I see two kinds of problems here. First, the web application should not put confidential parameters into the URL. This is the GET/POST discussion which is clear to me. Second, even if a web application puts these parameters into the URL I wonder how his URL gets indexed by Google. Does anyone have a clue how this can happen? Interestingly Google lists only three user accounts while the website has about 10’000 registered users. I was thinking about two possibilities: - The web applicaiton somehow leaks this URL to the Google search spider - The affected users somehow publish their browser history on the web (probably though malware?) It would be interested if someone has Ideas on how the second problem can be explained. By the way, the Google query, that lead to the problematic entries looked as follows: site:mydomain.com inurl:password inurl:user. Any ideas? Regards Joe
------------------------------------------------------------------------ This list is sponsored by: InfoSec Institute Need to pass the CISSP? InfoSec Institute's CISSP Boot Camp in both Instructor-Led and Online formats is the most concentrated exam prep available. Comprehensive course materials and an expert instructor means you pass the exam. Gain a laser like insight into what is covered on the exam, with zero fluff! http://www.infosecinstitute.com/courses/cissp_bootcamp_training.html ------------------------------------------------------------------------
Current thread:
- How does Google get confidential URL-strings? Joe (Jun 01)
- Re: How does Google get confidential URL-strings? Jeffrey Walton (Jun 01)
- Re: How does Google get confidential URL-strings? Kurt Buff (Jun 01)
- Re: How does Google get confidential URL-strings? Joe (Jun 03)
- Re: How does Google get confidential URL-strings? Kurt Buff (Jun 03)
- Re: How does Google get confidential URL-strings? Jeff MacDonald (Jun 03)
- Re: How does Google get confidential URL-strings? Joe (Jun 03)
- Re: How does Google get confidential URL-strings? τ∂υƒιφ * (Jun 04)
- Message not available
- Re: How does Google get confidential URL-strings? Joe (Jun 08)