Today’s bonus vulnerability in Google. The vulnerability is in Google’s spider, which awry index sensetive content (so it is Google dork). The day of Google bugs in MOSEB was over (at 15th day I posted holes in MOSEB-15 and MOSEB-15 Bonus), but it is nice hole and it’s worth to be mentioned. So Google with new bug is here once more.
The hole is in Google’s spider and it is Information disclosure hole. This one sent me Silentz yesterday, that his mate Lyecdevf found some bad behaviour of the spider. Which result in that Google indexes plain-text FTP credentials of YouTube users (their own users). Nice find guys! Google’s spider rocks (with its love to index everything).
You can use next dorks:
- site:youtube.com “clicks from ftp @” - about 239 results from Google (Lyecdevf’s dork)
- “clicks from ftp” (+ filter=0) - about 399 results from Google (my dork)
And as I tested there are working ftp accounts . Every Youtube user need to attend to security.
The main question (which I asked already in MOSEB-15 Bonus: Vulnerability in Google Custom Search Engine): is Google thinking about its users’ security? No, they don’t. Because they don’t care about it. But they need, Google and others search engines need to take care about users security.
Moral #1: spiders can index everything, even sensetive information, so vendors need to make their spiders more selective.
Moral #2: while searching in engines you can find interesting and sensetive stuff (until vendors start to listen to moral #1).
There was recently another hole at Google, as RSnake wrote in article Another Google XSS in Google Documents. In this case XSS hole was at Google Documents.
As I looked, the vulnerability was already fixed, but it was interesting hole. Which remembered Google that they need to attend to security.