Whilst looking at the security of a web application today I was able to extract the usernames and passwords using SQL Injection, which was nice. Well being a bit of a newbie after I got the passwords I was confused about the encoding/encryption. I managed to figure it out by using the encoding page on Clez.net and by encoding/decoding one of the password that I knew the cleartext of (my test account). It was using Base64 reversed. I also noticed that many of the passwords were =Qmcvd3czFGc which decoded to password (after reversing it).
Now the accidental bit.
My friend Bob got to hear of this and decided to Google the reverse Base64 string "=Qmcvd3czFGc". He got a few hits, but the first result was real interesting.
It seems his fist hit returned email addresses, login names, weird strings that might be base64 reverse encoded passwords (he'll look into that later I imagine).
Then Bob put his Google Fu to work. Seeing that the site had some interesting details available to just about anyone he wondered just how much Google had indexed.
site:yimwhan.com filetype:txt intext:password
Oh dear...within seconds Bob found a password. Surely it was old and probably not active anymore?
Well we all know Bob, his curiosity gets the better of him.
Bob just couldn't help himself could he!
I think this clearly demonstrates that anything you send can and probably will be picked up by Google and someone like Bob might just stumble across it at some time in the future. It might be an idea to think before you post!
UPDATE:
I have also posted this on the Bob Stories Site.
Wednesday, June 10, 2009
An Accidental Google Hack
Subscribe to:
Post Comments (Atom)
5 comments:
Very nice! And I agree with your conclusion. Google is working hard to index all of the information posted on the Internet and make it useful. You can test your site with Google dorks ( and should ), but that leaves the *cough* zero day Google search to be concerned about.
Would you be willing to repost this on Bobstories.com?
Stephen - Google Dorks is one of the first extensions I install. The GHD is pretty awesome too, the guys who contribute to it are pretty smart.
P.S.- Loved the PDC interview you did recently. It was quite different from most interviews they have. Very much along the Schneier or Ranum lines. I'm currently re-reading "Beyond Fear" and a few things you mentioned made a some concepts click into place.
Mubix - I thought of your Bob Stories site but didn't think this story worthy. But as you have asked though I'll definately get it up there over the next couple of days. Cheers.
I have accidentally found google hacks as well. I was reading up on pidgin when i discovered that googled spidered a few stored password files. And just a few days ago, found that google retains xss when it caches pages. This for the article.
Ben, Sound really interesting. You should maybe think about contributing to BobStories.com and give Mubix a shout.
Post a Comment