It’s a widely known fact that Google Search is a valuable tool for attackers looking for a way into organizations’ information systems. “Google hacking” has been used for years by penetration testers and security researchers.
Ars Technica reports that the US Department of Homeland Security and the FBI has recently sent out a notification to police, public safety and security personnel, warning them about “Google dorking”, i.e. hacking (click on the screenshot to see the entire document):
“By searching for specific file types and keywords, malicious cyber actors can locate information such as usernames and passwords, e-mail lists, sensitive documents, bank account details, and website vulnerabilities,” the alert explains.
“For example, a simple operator:keyword syntax, such as filetype:xls intext:username in the standard search box would retrieve Excel spreadsheets containing usernames. Additionally, freely available online tools can run automated scans using multiple dork queries.”
The notice also mentions two instances when “dorking” was used to breach websites, and alerts readers to the existence of the Diggity Project, a free penetration testing tool suite that allows users / attackers to automate Google dork queries.
Google hacking would not be such a successful technique if site owners and administrators took care to secure their websites, but the reality is that many don’t, and occasionally should be reminded to do it.
With the increased “attention” government and law enforcement websites are receiving from hacktivists in the last few years, the list of risk mitigation measures that the document includes will definitely come in handy.