Google Hacking

There's an ever-growing database of Google hacks which demonstrates all the amazing stuff that is reachable by the Google bots. My particular favorite is the one that lets you find web camera controllers with default admin passwords, which reveals at least one airport security center.

However, you don't have to do a Triple Lindy with a twist to find interesting things with Google. Not too long ago, I was performing a security review for an organization. They had already had an architectural review of their upcoming application. While working on the security assessment, I happened to be on Google searching for something unrelated (I can't remember the search, but it was something to do with the framework stack they were considering for their new project). The fifth result in my list looked awfully intriguing: it turned out to be the architecture review that had just been performed not two weeks earlier. Apparently, their internal document distribution channel included a file server with a web front end.

The upside to the story is that on my next conference call with the team, I was able to point out this security hole before I delivered my assessment, which was scheduled to be distributed over the same channel. The downside to this story is that it is far from unique. There just isn't a healthy enough respect for the Great Eye of Google out there. Like Sauron atop the Black Tower, the Great Eye can peer into the hearts of men (well, companies) and reveal the darkest corners of their soul. And the worst part is, unlike some other kinds of security flaws, there's a public record of the leaked information. Once Google gets in, something somewhere is going to cache what it found, and that will be mirrored on another cache, and on and on. Fixing the hole that let's Google in only protects the future; your past is part of the public record.