In it the author points out how easy it is to use Google’s more advanced search features to find sensitive data left carelessly in the clear by webmasters (or, as the author puts it, by Bob in Marketing who has no idea he’s even publishing to the public web). The article is full of example searches, which is rather fun, and includes a pointer to an entire site of hacks that is worth checking out, called Googledorks.
Often Web servers are left configured to list the contents of directories if there is no default Web page in those directories; on top of that, those directories often contain lots of stuff that the website owners don’t actually want to be on the Web. That makes such directory lists prime targets for snoopers….
…Once you start to think about it, the potentially troublesome words and phrases that can be searched for and leveraged should begin to multiply in your mind: passwd. htpasswd. accounts. users.pwd. web_store.cgi. finances. admin. secret. fpadmin.htm. credit card. ssn. And so on….
Google and other search tools have made the world available to us all, if we just know what to ask for. It’s our job as security pros to help make the folks we work and interact with aware of that fact, in all of its far-reaching ramifications.