Security Basics mailing list archives
Re: How does Google get confidential URL-strings?
From: τ∂υƒιφ * <tas0584 () gmail com>
Date: Thu, 4 Jun 2009 10:15:34 +0530
Hey Joe, I see two possibilities. One, someone must be using Google desktop & the search results got published. Once they get published it will also get cached. Secondly, disgruntled or former employees as pointed out by Jeffery. If there is Google toolbar then also this could be possible. cheers TAS -- http://www.niiconsulting.com/products/auditpro.html 2009/5/29 Joe <bitshield () gmail com>
Hello guys I was recently confronted with the problem, where using Google-Hacking techniques I was able to find entries that point to my employer’s website while having confidential username and password parameters in the URL. Using this URL listed as Google’s search result everyone could access personalized accounts on this website. I see two kinds of problems here. First, the web application should not put confidential parameters into the URL. This is the GET/POST discussion which is clear to me. Second, even if a web application puts these parameters into the URL I wonder how his URL gets indexed by Google. Does anyone have a clue how this can happen? Interestingly Google lists only three user accounts while the website has about 10’000 registered users. I was thinking about two possibilities: - The web applicaiton somehow leaks this URL to the Google search spider - The affected users somehow publish their browser history on the web (probably though malware?) It would be interested if someone has Ideas on how the second problem can be explained. By the way, the Google query, that lead to the problematic entries looked as follows: site:mydomain.com inurl:password inurl:user. Any ideas? Regards Joe ------------------------------------------------------------------------ This list is sponsored by: InfoSec Institute Need to pass the CISSP? InfoSec Institute's CISSP Boot Camp in both Instructor-Led and Online formats is the most concentrated exam prep available. Comprehensive course materials and an expert instructor means you pass the exam. Gain a laser like insight into what is covered on the exam, with zero fluff! http://www.infosecinstitute.com/courses/cissp_bootcamp_training.html ------------------------------------------------------------------------
------------------------------------------------------------------------ This list is sponsored by: InfoSec Institute Need to pass the CISSP? InfoSec Institute's CISSP Boot Camp in both Instructor-Led and Online formats is the most concentrated exam prep available. Comprehensive course materials and an expert instructor means you pass the exam. Gain a laser like insight into what is covered on the exam, with zero fluff! http://www.infosecinstitute.com/courses/cissp_bootcamp_training.html ------------------------------------------------------------------------
Current thread:
- How does Google get confidential URL-strings? Joe (Jun 01)
- Re: How does Google get confidential URL-strings? Jeffrey Walton (Jun 01)
- Re: How does Google get confidential URL-strings? Kurt Buff (Jun 01)
- Re: How does Google get confidential URL-strings? Joe (Jun 03)
- Re: How does Google get confidential URL-strings? Kurt Buff (Jun 03)
- Re: How does Google get confidential URL-strings? Jeff MacDonald (Jun 03)
- Re: How does Google get confidential URL-strings? Joe (Jun 03)
- Re: How does Google get confidential URL-strings? τ∂υƒιφ * (Jun 04)
- Message not available
- Re: How does Google get confidential URL-strings? Joe (Jun 08)