free html hit counter Don't Be A GoogleDork | John Battelle's Search Blog

Don't Be A GoogleDork

By - March 10, 2004

Dan Gillmor points to a thoughtful article on search and security, published on The Register today.

In it the author points out how easy it is to use Google’s more advanced search features to find sensitive data left carelessly in the clear by webmasters (or, as the author puts it, by Bob in Marketing who has no idea he’s even publishing to the public web). The article is full of example searches, which is rather fun, and includes a pointer to an entire site of hacks that is worth checking out, called Googledorks.

Excerpts:

Often Web servers are left configured to list the contents of directories if there is no default Web page in those directories; on top of that, those directories often contain lots of stuff that the website owners don’t actually want to be on the Web. That makes such directory lists prime targets for snoopers….
…Once you start to think about it, the potentially troublesome words and phrases that can be searched for and leveraged should begin to multiply in your mind: passwd. htpasswd. accounts. users.pwd. web_store.cgi. finances. admin. secret. fpadmin.htm. credit card. ssn. And so on….
Google and other search tools have made the world available to us all, if we just know what to ask for. It’s our job as security pros to help make the folks we work and interact with aware of that fact, in all of its far-reaching ramifications.


Related Posts Plugin for WordPress, Blogger...

One thought on “Don't Be A GoogleDork

  1. gp says:

    A good article and something that those of us in the library community have been warning about for a long time. The problem with the article is that it focuses only on Google. The reader should know that web resources other than Google cache and archive web pages and some offer more advanced search functionality that Google offers. Yes, Google is the most popular but the people who want this info also use other tools to find it.