Security Speak #1: Google Dorking

 
 

A hacker's favourite exploit. Why risk detection by scanning a company's internet footprint when Google's done the hard work for you?

Google dorks are a list of search requests that pick up sensitive information unwittingly exposed to the unsuspecting world by careless employees. 

Discovered by Johnny Long back in 2002, Google Dorking is still very much alive. The power and flexibility of the Google search engine makes it difficult for companies to ensure that they're not exposing any sensitive data, however sometimes it's worryingly easy. A simple search query such as:

intext:"ssn" filetype:xls

is often all it takes to find vast quantities of social security numbers stored in publicly accessible files. Similarly, queries such as:

intitle: "index of" password

have been known to uncover user password lists.

Google dorks are collected on websites such as Google Dorking, the Exploit Database or enthusiastic amateurs. The NSA even have their favourite searches.

For more information about Google Dorks - Google it!