At the cost of security everywhere, Google dorking is still a thing

ByErma F. Brown

Mar 23, 2022 #Absorbable Modified Polymers Technology, #Advanced Technology Grants Pass, #Aidan'S Professional Technology Services, #Albuquerque Nm Information Technology Recruiters, #Bhd Technology Vr, #Catholic ""Information Technology, #Ceo Comcast Technology, #Computer Technology Electronic, #Current Applications Of Rdna Technology, #Disadvantages Technology Law, #Ferrum Technology Services, #Fundamentals Of Medical Laboratory Technology, #Gmu Department Of Information Technology, #Hornborg Alf Technology Effects, #I'M Done Working In Technology, #James V. Arms Technology, #Jurassic Park Technology Analysis, #Liquidmetal Technology News, #LLC, #Mathey Technology And Engineering, #Medical Technology In 500 Bc, #Musc Library Technology Downloads, #New Jersey Technology Office Space, #Pc Ralley Technology, #Ridge Technology Services, #Technology 3x Reverse Etf, #Technology Abuse Use, #Technology Adoption Three Types, #Technology Advantage Info, #Technology And Improving Menial Jobs, #Technology Classroom Building 311, #Technology Companys In Usa, #Technology Distracting Studying Students, #Technology Docking Stations, #Technology Enablement White Paper, #Technology Images For Ppt, #Technology Impact On Finance Departments, #Technology In Chennai, #Technology In Greek Translation, #Technology Into History Lesson, #Technology Is Electricity Ted Talks, #Technology Professionals Of British Columbia, #Technology Relatesecuirty Topics, #Technology Studies Emu, #Technology To Prevent Medication Errors, #Technology Want What Ails Look, #Tesla Technology Roadmap, #Veterinary Assisting Vs Veterinary Technology, #Wentworth Institute Of Technology Animation, #What Is Today'S Technology, #With The Arise Of Technology
At the cost of security everywhere, Google dorking is still a thing

Some people never seem to learn. A recent investigation by security firm Compaas trawled Google Docs and Dropbox and found thousands of sensitive documents belonging to hospitals, schools, and corporations. In many cases, the spreadsheets caused the organizations to run afoul of consumer privacy laws.

“We found a couple hospitals that had breaches in HIPAA compliance,” Compaas COO Doron David said. “There was patient information, what types of surgeries they had, social security numbers. Anything that you would think of that you would consider personal is the type of thing we’ve come across.”

In most cases, the documents are uploaded by employees who don’t understand the privacy implications of what they’re doing. They simply know that Google Docs and similar services are a much easier way to exchange documents than official methods provided by their employer. In other cases, they use misconfigured third-party apps to swap documents with co-workers. The end result is documents that never should have been made public but can in fact be downloaded by anyone.

On Monday, a group within the US Government Services Administration became the latest cautionary tale when more than 100 Google Drives used by the agency were publicly accessible for five months. Investigators said the breach was the result of its OAuth 2.0 authentication system being set up to authorize access between the group’s Slack account and the GSA Google Drives.

Blunders like these continue to happen more than a decade after Google dorking, also known as Google hacking, became a widely known technique available to both whitehat and blackhat hackers alike. A simple search query such as

intext:"ssn" filetype:xls

is often all it takes to find vast quantities of social security numbers stored in publicly accessible files. Similarly, queries such as

intitle: "index of" password

have been known to uncover user password lists. An NSA document titled “Untangling the Web: A guide to Internet research,” made public in 2013, lists some of the spy agency’s favorite searches. Hobbyists and professional practitioners have published other lists, including this one. In 2014, the FBI warned the public of the phenomenon.

“Google Dork searches are also a great way to find SQL injections, or my personal favorite, backup copies of the WordPress config file (which usually contain the FTP and database mysql passwords),” Vinny Troia, founder and CEO of Night Lion Security, wrote in an e-mail. “Since .bak or .orig files are considered plain text files, you can view them on the Web and they are indexed by Google. So, a standard WordPress config file like wp-config.php.bak will actually render as plain text displaying all the good stuff.”

The reason that Google dorking continues to unearth so much private information and so many insecurities is that new mistakes are made almost as often as old ones are fixed. And that’s why it’s likely to remain a key hacking tool for many years to come.