Google Hacking Back in The News – Google Takes Action

Use Netsparker


Google hacking was the big thing back in 2004, I actually did a talk on it in Hack in the Box 2004, it’s resurfaced again as a serious threat with Google noticing more queries relating to things like social security numbers.

The Google Hacking Database has been active for years now and there are hundreds of queries that can bring up juicy information. Goolag was also released this year which gives a much easier, automated way of Google Hacking for specific domains or info.

Search engines such as Google are increasingly being used by hackers against Web applications that hold sensitive data, according to a security expert.

Even with rising awareness about data security, it takes all of a few seconds to pluck Social Security numbers from Web sites using targeted search terms, said Amichai Shulman, founder and CTO for database- and application-security company Imperva.

The fact that Social Security numbers are even on the Web is a human error; the information should never be published in the first place. But hackers are using Google in more sophisticated ways to automate attacks against Web sites, Shulman said.

Shulman said Imperva recently discovered a way to execute a SQL injection attack that comes from an IP address that belongs to Google.

It seems like it’s becoming big business on both sides, finding information and vulnerable sites and by gaming Google into dropping pages from the index (Blackhat SEO).

Even with the throttling it’ll still continue, people will find smarter ways to make the queries so it’s not blocked and they’ll build rate limiting into their tools so they don’t get dropped. The bad guys have plenty of patience, trust me on that.

Manipulating Google is particularly useful since it offers anonymity for a hacker plus an automated attack engine, Shulman said.

Tools such as Goolag and Gooscan can execute broad searches across the Web for specific vulnerabilities and return lists of Web sites that have those problems.

“This is no more a script kiddy game — this is a business,” Shulman said. “This is a very powerful hacking capability.”

Another attack method is so-called Google worms, which use the search engine to find specific vulnerabilities. With the inclusion of additional code, the vulnerability can be exploited, Shulman said.

“In 2004, this was science fiction,” Shulman said. “In 2008, this is a painful reality.”

Google and other search engines are taking steps to stop the abuse. For example, Google has stopped certain kinds of searches that could yield a trove of Social Security numbers in a single swoop. It also puts limits on the number of search requests sent per minute, which can slow down mass searches for vulnerable Web sites.

As they said, this is not some script kiddy stuff, with the amount of queries going on and the complexity this is some serious business!

Any pen-test or vulnerability assessment should have an information gathering stage and it’s here you should be using Google Hacking techniques and tools to uncover anything on the domain or company infrastructure that shouldn’t be there.

Just be warned that this kind of stuff is on the up, so brief your clients of the dangers and make sure this step is included in the audit.

Source: Network World

Posted in: Database Hacking, Exploits/Vulnerabilities, Privacy, Web Hacking

, , , , , ,


Latest Posts:


Acunetix Vulnerability Scanner For Linux Now Available Acunetix Vulnerability Scanner For Linux Now Available
Acunetix Vulnerability Scanner For Linux is now available, now you get all of the functionality of Acunetix, with all of the dependability of Linux.
Gerix WiFi Cracker - Wireless 802.11 Hacking Tool With GUI Gerix WiFi Cracker – Wireless 802.11 Hacking Tool With GUI
Gerix WiFi cracker is an easy to use Wireless 802.11 Hacking Tool with a GUI, it was originally made to run on BackTrack and this version has been updated for Kali (2018.1).
Malcom - Malware Communication Analyzer Malcom – Malware Communication Analyzer
Malcom is a Malware Communication Analyzer designed to analyze a system's network communication using graphical representations of network traffic.
WepAttack - WLAN 802.11 WEP Key Hacking Tool WepAttack – WLAN 802.11 WEP Key Hacking Tool
WepAttack is a WLAN open source Linux WEP key hacking tool for breaking 802.11 WEP keys using a wordlist based dictionary attack.
Eraser - Windows Secure Erase Hard Drive Wiper Eraser – Windows Secure Erase Hard Drive Wiper
Eraser is a hard drive wiper for Windows which allows you to run a secure erase and completely remove sensitive data from your hard drive by overwriting it several times with carefully selected patterns.
Insecure software versions are a problem Web Security Stats Show XSS & Outdated Software Are Major Problems
Netsparker just published some anonymized Web Security Stats about the security vulnerabilities their online solution identified on their users’ web applications and web services during the last 3 years.


One Response to Google Hacking Back in The News – Google Takes Action

  1. navin October 29, 2008 at 10:58 am #

    ah, Google dorking

    my first hacking article was based on google dorking!! Tht’s wht got me into the world of hackin when I realised tht data online was so easily available to anyone!! :)