At the cost of security everywhere, Google dorking is still a thing

ByMabel R. Acton

Mar 24, 2022 #2021 Acura Rdx Technology Package, #2021 Acura Tlx Technology Package, #2022 Acura Mdx Technology Package, #Align Technology Stock, #Applied Racing Technology, #Artificial Intelligence Technology Solutions Inc, #Assisted Reproductive Technology, #Battery Technology Stocks, #Benjamin Franklin Institute Of Technology, #Chief Technology Officer, #Color Star Technology, #Craft Design Technology, #Definition Of Technology, #Definitive Technology Speakers, #Element Materials Technology, #Health Information Technology Salary, #Ice Mortgage Technology, #Information Technology Definition, #Information Technology Degree, #Information Technology Salary, #Interactive Response Technology, #International Game Technology, #La Crosse Technology Weather Station, #Lacrosse Technology Atomic Clock, #Luokung Technology Stock, #Marvell Technology Stock Price, #Maytag Commercial Technology Washer, #Microchip Technology Stock, #Micron Technology Stock Price, #Mrna Technology History, #Mrna Vaccine Technology, #Nyc College Of Technology, #Penn College Of Technology, #Recombinant Dna Technology, #Rlx Technology Stock, #Robert Half Technology, #Science And Technology, #Sharif University Of Technology, #Smart Home Technology, #Stevens Institute Of Technology Ranking, #Symphony Technology Group, #Technology In The Classroom, #Technology Readiness Level, #Technology Stores Near Me, #Thaddeus Stevens College Of Technology, #University Of Advancing Technology, #Vanguard Information Technology Etf, #Vanguard Technology Etf, #What Is 5g Technology, #Women In Technology
At the cost of security everywhere, Google dorking is still a thing

Some people never seem to learn. A recent investigation by security firm Compaas trawled Google Docs and Dropbox and found thousands of sensitive documents belonging to hospitals, schools, and corporations. In many cases, the spreadsheets caused the organizations to run afoul of consumer privacy laws.

“We found a couple hospitals that had breaches in HIPAA compliance,” Compaas COO Doron David said. “There was patient information, what types of surgeries they had, social security numbers. Anything that you would think of that you would consider personal is the type of thing we’ve come across.”

In most cases, the documents are uploaded by employees who don’t understand the privacy implications of what they’re doing. They simply know that Google Docs and similar services are a much easier way to exchange documents than official methods provided by their employer. In other cases, they use misconfigured third-party apps to swap documents with co-workers. The end result is documents that never should have been made public but can in fact be downloaded by anyone.

On Monday, a group within the US Government Services Administration became the latest cautionary tale when more than 100 Google Drives used by the agency were publicly accessible for five months. Investigators said the breach was the result of its OAuth 2.0 authentication system being set up to authorize access between the group’s Slack account and the GSA Google Drives.

Blunders like these continue to happen more than a decade after Google dorking, also known as Google hacking, became a widely known technique available to both whitehat and blackhat hackers alike. A simple search query such as

intext:"ssn" filetype:xls

is often all it takes to find vast quantities of social security numbers stored in publicly accessible files. Similarly, queries such as

intitle: "index of" password

have been known to uncover user password lists. An NSA document titled “Untangling the Web: A guide to Internet research,” made public in 2013, lists some of the spy agency’s favorite searches. Hobbyists and professional practitioners have published other lists, including this one. In 2014, the FBI warned the public of the phenomenon.

“Google Dork searches are also a great way to find SQL injections, or my personal favorite, backup copies of the WordPress config file (which usually contain the FTP and database mysql passwords),” Vinny Troia, founder and CEO of Night Lion Security, wrote in an e-mail. “Since .bak or .orig files are considered plain text files, you can view them on the Web and they are indexed by Google. So, a standard WordPress config file like wp-config.php.bak will actually render as plain text displaying all the good stuff.”

The reason that Google dorking continues to unearth so much private information and so many insecurities is that new mistakes are made almost as often as old ones are fixed. And that’s why it’s likely to remain a key hacking tool for many years to come.