MOSEB-20 Bonus: Google dorks strikes back
22:26 20.06.2007Today’s bonus vulnerability in Google. The vulnerability is in Google’s spider, which awry index sensetive content (so it is Google dork). The day of Google bugs in MOSEB was over (at 15th day I posted holes in MOSEB-15 and MOSEB-15 Bonus), but it is nice hole and it’s worth to be mentioned. So Google with new bug is here once more.
The hole is in Google’s spider and it is Information disclosure hole. This one sent me Silentz yesterday, that his mate Lyecdevf found some bad behaviour of the spider. Which result in that Google indexes plain-text FTP credentials of YouTube users (their own users). Nice find guys! Google’s spider rocks (with its love to index everything).
You can use next dorks:
- site:youtube.com “clicks from ftp @” - about 239 results from Google (Lyecdevf’s dork)
- “clicks from ftp” (+ filter=0) - about 399 results from Google (my dork)
And as I tested there are working ftp accounts . Every Youtube user need to attend to security.
The main question (which I asked already in MOSEB-15 Bonus: Vulnerability in Google Custom Search Engine): is Google thinking about its users’ security? No, they don’t. Because they don’t care about it. But they need, Google and others search engines need to take care about users security.
Moral #1: spiders can index everything, even sensetive information, so vendors need to make their spiders more selective.
Moral #2: while searching in engines you can find interesting and sensetive stuff (until vendors start to listen to moral #1).
P.S.
There was recently another hole at Google, as RSnake wrote in article Another Google XSS in Google Documents. In this case XSS hole was at Google Documents.
As I looked, the vulnerability was already fixed, but it was interesting hole. Which remembered Google that they need to attend to security.
Четвер, 11:38 21.06.2007
its still not fixed and works =)
just tried it…
Субота, 18:09 23.06.2007
Yes, Ben, vuln still not fixed . Google need to be more quick with it, to not put their own users into the risk.
All Youtube users need to attend to security and if their ftp accounts got into Google’s index, they need very quickly change their ftp passwords.
Субота, 23:32 23.06.2007
Ahh, your site is back up. When i tried it the other day it was down. The really ironic thing about this whole thing is when i asked Lyecdevf where he found the vuln/dork he said….in a video on YouTube!
Classic!
http://www.youtube.com/watch?v=Bz7Tfjns7ZM
Неділя, 09:35 24.06.2007
Yes i agree however this has been known for years now but there is so much info out there…!
Неділя, 23:54 24.06.2007
Silentz
Yes, my site already back to work after some problems at server (as I wrote yesterday). I moved to new server and now project continue to work. No force majeur can stop me .
Nice video. YouTube is nice service and there are nice videos on it. And this one is outstanding . Video on Yutube about hacking sites of youtube users. It is very ironic. And granting that Google (owner of Youtube) help with this situation makes it even more ironical.
Понеділок, 00:00 25.06.2007
Watches
There is a lot of different information in databases of search engines (which can be found). Because spiders index everything, including sensetive information . So search engines vendors need to improve their spiders (make them more selective).
Понеділок, 14:46 02.07.2007
The spiders are not to be blamed for security. They just collect whats public accessible. So not making confidential information public accessible has to be done in the first place. So the whole bug is nonsense.
Понеділок, 22:38 02.07.2007
Yes, I agree with MrT.
The problem are not the spiders, the problem are the site vendors or the users, who don’t care about security and publish sensitive information in public…