Google and its website: a blind alliance

Suppose you have a website “onlineshopperdowrycom” and when you google it with keywords “online shopping website” you can get a sneak peek of the page results of your website and other websites related to your keyword. That’s pretty universal, as we all urge Google to find and index our websites. This is quite common for all eCommerce websites.

A. Your “onlineshopper” websitedowrycom” is directly allied with Google.

B. Your website and your web server (where you have all your usernames and passwords stored) are directly related to each other.

C. Alarmingly, Google is indirectly allied with your web server.

You may be convinced that this is normal and not expecting a phishing attack using Google to retrieve information from your web server. Now, thinking about it, instead of looking “online shopping website” on Google, what if I search “online shopper website usernames and passwords”, Will Google be able to provide the list of usernames and passwords for the online shoppers website? As a security consultant, the answer will be “MAYBE, SOMETIMES!”, but if you use Google dorks (key words to access Google), the answer will be a big “YES!” if your website ends up with missing security settings.

Google Dorks can be intimidating.

Google appears as a watchdog on duty until you see the other side. Google may have answers to all your queries, but you have to frame your questions properly and that’s where GOOGLE DORKS comes in. It is not a complicated software to install, run and wait for results, rather it is a combination of keywords (title, inurlwebsite, text, allinurl etc) with which you can access Google to get exactly what you are looking for.

For example, your goal is to download JAVA related pdf documents, normal Google search will be “java pdf documents free download” (free is a mandatory keyword without which any Google search is not complete). But when you use Google dorks, your search will be “file type: pdf to text: java”. Now, with these keywords, Google will understand what exactly you are looking for compared to your previous search. Plus, you’ll get more accurate results. That looks promising for effective Google search.

However, attackers can use these keyword searches for a very different purpose: to steal/extract information from your website/server. Now assuming I need usernames and passwords that are cached on servers, I can use a simple query like this. “file type: xls password site: en”, this will give you Google results for the cached content of different websites in India that have saved usernames and passwords. It’s as simple as that. In connection with the online buyer’s website, if I use a query “file type:xls passwords inurl:onlineshopper.com” the results could discourage anyone. In simple terms, your private or confidential information will be available on the Internet, not because someone has hacked your information, but because Google was able to retrieve it for free.

How to prevent this?

The file named “robot.txt” (often referred to as web robots, wanderers, crawlers, spiders) is a program that can traverse the web automatically. Many search engines like Google, Bing, and Yahoo use robots.txt to scan websites and extract information.

robots.txt is a file that gives search engines permission to what to access and what not to access from the website. It is a kind of control that you have over the search engines. Setting up Google dorks is not rocket science, you need to know what information will and will not be allowed in search engines. The sample robots.txt configuration will look like this.

Allow: /website-content

Disallow: /user-details

Disallow: /admin-details

Unfortunately, these robots.txt settings are often overlooked or inappropriately configured by website designers. Surprisingly, most of the government and university websites in India are prone to this attack, revealing all the sensitive information about their websites. With malware, remote attacks, botnets, and other types of high-level threats flooding the Internet, the Google idiot can be more threatening, requiring a working Internet connection on any device to retrieve any sensitive information. This does not end with the recovery of sensitive information alone, as with Google fools anyone can access vulnerable CCTV cameras, modems, mail usernames, passwords and online order details simply by searching Google.