Although they are far rarer today than they were five years ago, such information-rich finds of sensitive, personally identifiable information (PII) can still be found via Google searches. Today Web architects are a little more aware of the problem and are slightly more careful. Initiatives like the Payment Card Industry (PCI) standards have helped to increase awareness of these issues and compliance with good security practices regarding credit card numbers. Furthermore, Google is actually policing its own search index, trying to scrape out sensitive information of that kind.
Does that mean that Google hacking is a thing of the past? Hardly; sensitive PII still turns up now and then. What's more, there are a lot of useful searches in the GHDB beyond PII to find vulnerabilities and other information useful to attackers. Here are a few examples:
- PGP keyrings -- With a user's public PGP keyring, an attacker has an idea of who that person communicates with. With the secret keyring (Yes, there are Google searches that will find secret keyrings!) the attacker can download the encrypted private key of a user. The attacker would then have to mount a passphrase guessing attack to decrypt the private key, likely a major undertaking if the user's passphrase is any good. But, with the private key cracked, the attacker could then decrypt the user's email, files and disk, and even forge digital signatures of the user.
- Nessus scan result -- With these files, the attacker doesn't have to bother performing a vulnerability scan of the target, given that he or she can just download the results of the scan done by the target organization's own security personnel.
- Vulnerable PHP scripts -- With a list of these, the attacker can try launching exploits of those scripts at the appropriate site to try to take them over. Google hacking is still an important attack vector today, but it has evolved over the past five years.
For more information:
This was first published in April 2008