MOSEB-20 Bonus: Google dorks strikes back

22:26 20.06.2007

Today’s bonus vulnerability in Google. The vulnerability is in Google’s spider, which awry index sensetive content (so it is Google dork). The day of Google bugs in MOSEB was over (at 15th day I posted holes in MOSEB-15 and MOSEB-15 Bonus), but it is nice hole and it’s worth to be mentioned. So Google with new bug is here once more.

The hole is in Google’s spider and it is Information disclosure hole. This one sent me Silentz yesterday, that his mate Lyecdevf found some bad behaviour of the spider. Which result in that Google indexes plain-text FTP credentials of YouTube users (their own users). Nice find guys! Google’s spider rocks 8-) (with its love to index everything).

You can use next dorks:

And as I tested there are working ftp accounts ;-) . Every Youtube user need to attend to security.

The main question (which I asked already in MOSEB-15 Bonus: Vulnerability in Google Custom Search Engine): is Google thinking about its users’ security? No, they don’t. Because they don’t care about it. But they need, Google and others search engines need to take care about users security.

Moral #1: spiders can index everything, even sensetive information, so vendors need to make their spiders more selective.

Moral #2: while searching in engines you can find interesting and sensetive stuff (until vendors start to listen to moral #1).

P.S.

There was recently another hole at Google, as RSnake wrote in article Another Google XSS in Google Documents. In this case XSS hole was at Google Documents.

As I looked, the vulnerability was already fixed, but it was interesting hole. Which remembered Google that they need to attend to security.


8 відповідей на “MOSEB-20 Bonus: Google dorks strikes back”

  1. Ben каже:

    its still not fixed and works =)
    just tried it…

  2. MustLive каже:

    Yes, Ben, vuln still not fixed ;) . Google need to be more quick with it, to not put their own users into the risk.

    All Youtube users need to attend to security and if their ftp accounts got into Google’s index, they need very quickly change their ftp passwords.

  3. Silentz каже:

    Ahh, your site is back up. When i tried it the other day it was down. The really ironic thing about this whole thing is when i asked Lyecdevf where he found the vuln/dork he said….in a video on YouTube!

    Classic!

    http://www.youtube.com/watch?v=Bz7Tfjns7ZM

  4. Watches каже:

    Yes i agree however this has been known for years now but there is so much info out there…!

  5. MustLive каже:

    Silentz

    Yes, my site already back to work after some problems at server (as I wrote yesterday). I moved to new server and now project continue to work. No force majeur can stop me 8-) .

    in a video on YouTube!

    Nice video. YouTube is nice service and there are nice videos on it. And this one is outstanding :-) . Video on Yutube about hacking sites of youtube users. It is very ironic. And granting that Google (owner of Youtube) help with this situation makes it even more ironical.

  6. MustLive каже:

    Watches

    There is a lot of different information in databases of search engines (which can be found). Because spiders index everything, including sensetive information ;-) . So search engines vendors need to improve their spiders (make them more selective).

  7. MrT каже:

    The spiders are not to be blamed for security. They just collect whats public accessible. So not making confidential information public accessible has to be done in the first place. So the whole bug is nonsense.

  8. Maerim каже:

    Yes, I agree with MrT.

    The problem are not the spiders, the problem are the site vendors or the users, who don’t care about security and publish sensitive information in public…

Leave a Reply

You must be logged in to post a comment.