Google Hacking Back in The News – Google Takes Action


Google hacking was the big thing back in 2004, I actually did a talk on it in Hack in the Box 2004, it’s resurfaced again as a serious threat with Google noticing more queries relating to things like social security numbers.

The Google Hacking Database has been active for years now and there are hundreds of queries that can bring up juicy information. Goolag was also released this year which gives a much easier, automated way of Google Hacking for specific domains or info.

Search engines such as Google are increasingly being used by hackers against Web applications that hold sensitive data, according to a security expert.

Even with rising awareness about data security, it takes all of a few seconds to pluck Social Security numbers from Web sites using targeted search terms, said Amichai Shulman, founder and CTO for database- and application-security company Imperva.

The fact that Social Security numbers are even on the Web is a human error; the information should never be published in the first place. But hackers are using Google in more sophisticated ways to automate attacks against Web sites, Shulman said.

Shulman said Imperva recently discovered a way to execute a SQL injection attack that comes from an IP address that belongs to Google.

It seems like it’s becoming big business on both sides, finding information and vulnerable sites and by gaming Google into dropping pages from the index (Blackhat SEO).

Even with the throttling it’ll still continue, people will find smarter ways to make the queries so it’s not blocked and they’ll build rate limiting into their tools so they don’t get dropped. The bad guys have plenty of patience, trust me on that.

Manipulating Google is particularly useful since it offers anonymity for a hacker plus an automated attack engine, Shulman said.

Tools such as Goolag and Gooscan can execute broad searches across the Web for specific vulnerabilities and return lists of Web sites that have those problems.

“This is no more a script kiddy game — this is a business,” Shulman said. “This is a very powerful hacking capability.”

Another attack method is so-called Google worms, which use the search engine to find specific vulnerabilities. With the inclusion of additional code, the vulnerability can be exploited, Shulman said.

“In 2004, this was science fiction,” Shulman said. “In 2008, this is a painful reality.”

Google and other search engines are taking steps to stop the abuse. For example, Google has stopped certain kinds of searches that could yield a trove of Social Security numbers in a single swoop. It also puts limits on the number of search requests sent per minute, which can slow down mass searches for vulnerable Web sites.

As they said, this is not some script kiddy stuff, with the amount of queries going on and the complexity this is some serious business!

Any pen-test or vulnerability assessment should have an information gathering stage and it’s here you should be using Google Hacking techniques and tools to uncover anything on the domain or company infrastructure that shouldn’t be there.

Just be warned that this kind of stuff is on the up, so brief your clients of the dangers and make sure this step is included in the audit.

Source: Network World

Posted in: Database Hacking, Exploits/Vulnerabilities, Privacy, Web Hacking

, , , , , ,


Latest Posts:


dSploit APK Download - Hacking & Security Toolkit For Android dSploit APK Download – Hacking & Security Toolkit For Android
dSploit APK Download is a Hacking & Security Toolkit For Android which can conduct network analysis and penetration testing activities.
Scallion - GPU Based Onion Hash Generator Scallion – GPU Based Onion Hash Generator
Scallion is a GPU-driven Onion Hash Generator written in C#, it lets you create vanity GPG keys and .onion addresses (for Tor's hidden services).
WiFi-Dumper - Dump WiFi Profiles and Cleartext Passwords WiFi-Dumper – Dump WiFi Profiles and Cleartext Passwords
WiFi-Dumper is an open-source Python-based tool to dump WiFi profiles and cleartext passwords of the connected access points on a Windows machine.
truffleHog - Search Git for High Entropy Strings with Commit History truffleHog – Search Git for High Entropy Strings with Commit History
truffleHog is a Python-based tool to search Git for high entropy strings, digging deep into commit history and branches. This is effective at finding secrets accidentally committed.
AIEngine - AI-driven Network Intrusion Detection System AIEngine – AI-driven Network Intrusion Detection System
AIEngine is a next-generation interactive/programmable Python/Ruby/Java/Lua and Go AI-driven Network Intrusion Detection System engine with many capabilities.
Sooty - SOC Analyst All-In-One CLI Tool Sooty – SOC Analyst All-In-One CLI Tool
Sooty is a tool developed with the task of aiding a SOC analyst to automate parts of their workflow and speed up their process.


One Response to Google Hacking Back in The News – Google Takes Action

  1. navin October 29, 2008 at 10:58 am #

    ah, Google dorking

    my first hacking article was based on google dorking!! Tht’s wht got me into the world of hackin when I realised tht data online was so easily available to anyone!! :)