This morning I experimented with some Google searches which can reveal information on public sites.
Inspired by some posts from @Random_Robbie on Twitter
These are now know as Google Dorks.
I first learned of these in “Google Hacking for Penetration Testers” - the book was originally released in 2004.
I’m pretty sure this was once just “using Google Advanced Search” but is now known as “Google Dork”
Here is a presentation from the author of the book:
And the book is now in its third edition:
If you search for Google Dorks then you’ll find lists of common searches and searches that can expose possible SQL injection points etc.
I simply performed a search for text log files with ‘password’ in them.
I then spent a couple of hours emailing companies with issues.
Thus far I have heard back from one company. They were very prompt in their response and clearly take security seriously. They make a wordpress plugin that was the cause of many of the log files I was seeing.
Sadly. To summarise their response:
- this is a very serious issue for the site owners
- the issue is a server configuration
- we did make changes 3 years ago to mitigate this
- the site owners are unlikely to be our customers
- it is important to keep plugins up to date
- thanks for letting us know
And its true that this is an issue for the site owners. When you are running wordpress you need to keep up to date.
But… if it was me.
You could automate finding these as a public service
I’d feel an obligation to let people know that a plugin was leaking customer data: names, addresses, emails, amounts, items etc.
I would probably have written a script which periodically performs the various Google Dork searches which expose the data, and (given that the site email address is listed in the exposed page) scanned the results for email addresses and automatically emailed them.
This could also be a good ‘sales’ tool to get people to upgrade to the most up to date plugin and provide some good community Karma.
If every tool or plugin scanned the web for out of date plugins of its own stuff, and told people there was a problem, we might have fewer problems.
When people find stuff on line they tend not to tell the site owner.
I remember when EvilTester.com was a Wordpress site and I wasn’t really using it and it was hacked and I didn’t notice. All my fault.
Somebody did notice. And they reported it to a website that rates websites. But not to me. So the site now has a poor rating on a web site that rates web sites, despite changing technology and not being an issue.
I once tried to get the rating changed on a web site that rates web sites but they wanted me to make a bunch of updates and go through their admin hoops so I didn’t bother. I thought it more entertaining to fix everything but leave it unchanged on a web site that rates web sites, so now, you cant trust the rating of my site on a web site that rates web sites. And I wonder, how many other ratings on their site are invalid?.
But the point is… tell the site owners so they can fix it.
And if you run a site where people report issues on other sites - tell the site that has been reported.
Things get fixed faster when problems are reported.
Low Hanging Fruit
I contacted two large companies today. Both of whom were leaking payment gateway and customer details into Google’s cache.
All the issues I found could have been found by those organisations if they periodically searched for their site on Google for pages.
Try it yourself on your domain.
If you never release any text files then try:
if you never release any log files publicly then try:
There are a vast number of searches you could do but if you build them around the structure and requirements of your site then you will find things more easily.
Who’s job is this?
Is this Ops, Testing, Security Testing, Dev?
Does it matter?
Whomever is reading this. Try some Google Dorks on your site. If you find something. Figure out how to add it into your ongoing monitoring process.
In the face of GDPR, this becomes ever more important.
Sadly, if you start searching for these problems without limiting it to your domain you will find so many in the wild that you will distrust every site you use. And you will never stop raising issues with site owners letting them know they have problems.
Which is why we need to try and keep our own house, and those of our immediate neighbours, in as good order as possible.
You will need a Github account to comment. Or you can contact me with your comment.
I reserve the right to delete spam comments e.g. if your comment adds no value and its purpose is simply to create a backlink to another site offering training, or courses, etc.