How to hack hundreds of websites with a single Google search

Disclaimer:
This post doesn’t want to be an invite to hack websites. The admin pages linked by search engines in the “search suggestions” in the article are so easy to find that it’s, I think, exagerated to define this an “hack practice” (infact, many of them were already hacked and spammed by automatic bots 😉 ). On the contrary, it wants to be an advice to webmasters and sysadmins to double-check their installations and security measures.

Search engines scan the Web. The entire web, and they often discover something that nobody should see.

This is one of this cases: a webmaster forgets to password-protect the folder where a critical admin tool like phpMyAdmin is, a search engine reaches the folder and it puts in its search index the link.

At this point it’s easy for everyone to discover these security breaches: with a very simple search on a search engine like Yahoo! you’ll get 196 results (November, 7th 2008), they bring to the administrative home page of phpMyAdmin from several domains, with root privileges.

The same search on Google brings 286 results, Live Search other 113 and so on, you’ve only to test other search engines to gain new opened phpMyAdmin page.

This (phpMyAdmin) is only an example: there are a lot of other “magic words” you can try to search around, to discover that, while developers try to fix also the smallest security bug in their softwares every day, there are a lot of sysadmin that leave the door completely open for everyone.

Do you want to suggest some other search? :)

This entry was posted in Tricks and tagged . Bookmark the permalink. Trackbacks are closed, but you can post a comment.

2 Comments