At the cost of security everywhere, Google dorking is still a thing
Some people never seem to learn. A recent investigation by security firm Compaas trawled Google Docs and Dropbox and found thousands of sensitive documents belonging to hospitals, schools, and corporations. In many cases, the spreadsheets caused the organizations to run afoul of consumer privacy laws.
“We found a couple hospitals that had breaches in HIPAA compliance,” Compaas COO Doron David said. “There was patient information, what types of surgeries they had, social security numbers. Anything that you would think of that you would consider personal is the type of thing we’ve come across.”
In most cases, the documents are uploaded by employees who don’t understand the privacy implications of what they’re doing. They simply know that Google Docs and similar services are a much easier way to exchange documents than official methods provided by their employer. In other cases, they use misconfigured third-party apps to swap documents with co-workers. The end result is documents that never should have been made public but can in fact be downloaded by anyone.
On Monday, a group within the US Government Services Administration became the latest cautionary tale when more than 100 Google Drives used by the agency were publicly accessible for five months. Investigators said the breach was the result of its OAuth 2.0 authentication system being set up to authorize access between the group’s Slack account and the GSA Google Drives.
Blunders like these continue to happen more than a decade after Google dorking, also known as Google hacking, became a widely known technique available to both whitehat and blackhat hackers alike. A simple search query such as
intext:"ssn" filetype:xls
is often all it takes to find vast quantities of social security numbers stored in publicly accessible files. Similarly, queries such as
intitle: "index of" password
have been known to uncover user password lists. An NSA document titled “Untangling the Web: A guide to Internet research,” made public in 2013, lists some of the spy agency’s favorite searches. Hobbyists and professional practitioners have published other lists, including this one. In 2014, the FBI warned the public of the phenomenon.
“Google Dork searches are also a great way to find SQL injections, or my personal favorite, backup copies of the WordPress config file (which usually contain the FTP and database mysql passwords),” Vinny Troia, founder and CEO of Night Lion Security, wrote in an e-mail. “Since .bak or .orig files are considered plain text files, you can view them on the Web and they are indexed by Google. So, a standard WordPress config file like wp-config.php.bak will actually render as plain text displaying all the good stuff.”
The reason that Google dorking continues to unearth so much private information and so many insecurities is that new mistakes are made almost as often as old ones are fixed. And that’s why it’s likely to remain a key hacking tool for many years to come.