Security Basics mailing list archives
Re: How does Google get confidential URL-strings?
From: Joe <bitshield () gmail com>
Date: Mon, 8 Jun 2009 07:43:37 +0000
I don't think this was the case. By the time I found out that the URLs, which were indexed by Google were never used by the affected users. They were just part of the website. This leads me to the conclusion that Typo3 may have exposed these URLs over its rendered HTML pages. So to me, it looks like a Typo3 bug, which is not any more reconstructable... Thanks Joe On Thu, Jun 4, 2009 at 9:06 PM, Rabbi Malcontent<rabbi.malcontent () gmail com> wrote:
could someone have bounced an email with the confidential stuff to an external gmail account? On Fri, May 29, 2009 at 3:23 AM, Joe <bitshield () gmail com> wrote:Hello guys I was recently confronted with the problem, where using Google-Hacking techniques I was able to find entries that point to my employer’s website while having confidential username and password parameters in the URL. Using this URL listed as Google’s search result everyone could access personalized accounts on this website. I see two kinds of problems here. First, the web application should not put confidential parameters into the URL. This is the GET/POST discussion which is clear to me. Second, even if a web application puts these parameters into the URL I wonder how his URL gets indexed by Google. Does anyone have a clue how this can happen? Interestingly Google lists only three user accounts while the website has about 10’000 registered users. I was thinking about two possibilities: - The web applicaiton somehow leaks this URL to the Google search spider - The affected users somehow publish their browser history on the web (probably though malware?) It would be interested if someone has Ideas on how the second problem can be explained. By the way, the Google query, that lead to the problematic entries looked as follows: site:mydomain.com inurl:password inurl:user. Any ideas? Regards Joe ------------------------------------------------------------------------ This list is sponsored by: InfoSec Institute Need to pass the CISSP? InfoSec Institute's CISSP Boot Camp in both Instructor-Led and Online formats is the most concentrated exam prep available. Comprehensive course materials and an expert instructor means you pass the exam. Gain a laser like insight into what is covered on the exam, with zero fluff! http://www.infosecinstitute.com/courses/cissp_bootcamp_training.html ------------------------------------------------------------------------
------------------------------------------------------------------------ This list is sponsored by: InfoSec Institute Need to pass the CISSP? InfoSec Institute's CISSP Boot Camp in both Instructor-Led and Online formats is the most concentrated exam prep available. Comprehensive course materials and an expert instructor means you pass the exam. Gain a laser like insight into what is covered on the exam, with zero fluff! http://www.infosecinstitute.com/courses/cissp_bootcamp_training.html ------------------------------------------------------------------------
Current thread:
- How does Google get confidential URL-strings? Joe (Jun 01)
- Re: How does Google get confidential URL-strings? Jeffrey Walton (Jun 01)
- Re: How does Google get confidential URL-strings? Kurt Buff (Jun 01)
- Re: How does Google get confidential URL-strings? Joe (Jun 03)
- Re: How does Google get confidential URL-strings? Kurt Buff (Jun 03)
- Re: How does Google get confidential URL-strings? Jeff MacDonald (Jun 03)
- Re: How does Google get confidential URL-strings? Joe (Jun 03)
- Re: How does Google get confidential URL-strings? τ∂υƒιφ * (Jun 04)
- Message not available
- Re: How does Google get confidential URL-strings? Joe (Jun 08)