main
Report a problem

That password-protected site of yours - it ain't

Daniel Fleshbourne   on 22 August 2008 - 18:22 · 18 comments & 9991 views

Advertisement (Why?)
It's one of the simplest hacks we've seen in a long time, and the more elite computer users have known about it for a while, but it's still kinda cool and just a little bit unnerving: A hacker has revealed a way to use Google and other search engines to gain unauthorized access to password-protected content on a dizzying number of websites.

While plenty of webmasters require their visitors to register or pay a fee before viewing certain pages, they are typically more than eager for search engine bots to see the content for free. After all, the more search engines that catalog the info, the better the chances of luring new users. But the technique, known as cloaking, has a gaping loophole: if Google and other search engines can see the content without entering a password, so can you.

View: The full story @ The Reg

Share this Article

  • Technorati
  • Magnolia
  • Stumble upon it
  • Reddit
  • Blink List
  • Delicious
  • Slashdot
  • Furl
  • Facebook
  • Windows Live
  • Google
  • Newsvine
  • Yahoo
  • RawSugar
  • Netvouz

About the Author

Full name: Daniel Fleshbourne
User name: Daniel
Contact: via forum PM
Submissions: View All
More: View Bio   New!

Related news

 

Post a comment · Send to friend Comments · There are 18 additional comments
(1 reply) #1 XerXis on 22 Aug 2008 - 18:54
erm, so?
#1.1 excalpius on 23 Aug 2008 - 23:37
Inaccurate FUD article. This is a feature of google and search engines, not a "hack".
#2 sidroc on 22 Aug 2008 - 20:17
How is this news? Ive known about this for a long time. I am sure many others have too. Its also useful for when your workplace also blocks websites that are not business related . Google Cache is awesome stuff. Another neat trick is 99% of the time colleges store their finals and quizes and stuff on the file server of the teachers website for the class. Little bit of Google search and indexing, and you have the answers to most finals and quiz's at a lot of colleges.
#3 booboo on 22 Aug 2008 - 20:23
Yeah, this isn't news . This has been used for yeaaaars.

I use it when a forum replies have been deleted or edited due to bad content - just to see what they _originally_ posted
(2 replies) #4 HalcyonX12 on 22 Aug 2008 - 22:19
Newsflash, the internet is a public network, computers are insecure... Don't put anythong un thi unternet if yew dnot wannit read bie peeps
#4.1 Airlink on 23 Aug 2008 - 00:51
+1. Anyone who actualy thinks there really such a thing as information security on the internet is a fool.
#4.2 C_Guy on 24 Aug 2008 - 04:31
Well, THAT you could put on the Internet. I'm not even sure what language you are trying to communicate in but it certainly isn't English.
(2 replies) #5 aarste on 23 Aug 2008 - 01:43
well experts-exchange content never seems to be cached, always hate stumbling across that site when i'm looking up an issue
#5.1 asmodeus on 23 Aug 2008 - 01:50
If you scroll to the bottom of the page past the ads all the answers will be there, if your referrer was google.
#5.2 PROGAME on 23 Aug 2008 - 09:27
(asmodeus said @ #5.1)
If you scroll to the bottom of the page past the ads all the answers will be there, if your referrer was google.


true, and very useful
(2 replies) #6 hackncrap on 23 Aug 2008 - 03:16
lol thats nothing you should see this! i put this stuff on my site..
you can vciew private information on websites like edu sites a gov sites example:

"top secret" inurl:.gov (you put that in google)

some very potential info *cough* i will say now it would be illegal to read it even thou viewing it in port 80 (view pdfs as html will give you some invisibilty insted of downloading (using port 21) but like i said never read any its illegal and you'll probly never get caught espically if you search other countrys so you better not!!! i hav never done this scouts honour!!

Last edited by hackncrap on 23 Aug 2008 - 03:38
#6.1 funkymunky on 23 Aug 2008 - 15:14
Oh my, I tried that "just to see" and it took me to something I shouldn't have looked at
Awaits Special Agents knocking at my door.

Surely if they're stupid enough to have it on an OPEN internet then it's their fault if someone reads it??
#6.2 hackncrap on 23 Aug 2008 - 15:45
..

Last edited by hackncrap on 24 Aug 2008 - 03:05
#7 gollux on 23 Aug 2008 - 14:44
Heh! Information wants to be free. Once posted on the web, you cannot be sure that it has been truly deleted, or in this case protected. Reminds me of a parable about hiding a lamp under a basket, if you want it to be search engine friendly, it must be readable somehow, but I find it funny that these people haven't discovered the "nocache" meta tag. Or are so incompetent that they're relying on Google for site search when they should have their own search engine.

Reminds me of all the times some doofus has asked about protecting their html or javascript over on Sitepoint. First of all, it has to be displayed or executed by a browser, so it is recoverable. Second, usually people who want to do this are neophytes whose scripting is so pathetically laughable that it would be best hid so that others don't copy their mistakes.
#8 plastikaa on 24 Aug 2008 - 08:47
oldz
#9 .Kompressor on 25 Aug 2008 - 17:59

oh noes... l33t !





maybe if you had a look at O'rielly Google Hacks... it will reveal more.
#10 +Xtreme2damax on 25 Aug 2008 - 18:56
You can just exclude bots from indexing restricted directories or files as it is with most forum software and CMS's, typically on forums registered users have basic access, Administrators and Moderators can only access sensitive directories.

That's one of the main reasons I've changed the name of my admin directory for both my portal and forum and have chosen a strong password, denied anyone else but administrators access to the directory and excluded bots from seeing or accessing those directories with a robots.txt file.
#11 The_Decryptor on 26 Aug 2008 - 10:33
The Register has discovered User Agent Spoofing!

I've been doing this since Firefox 0.8 (or so), but hey, what's old is new again!

Commenting has either been disabled on this article or you are not logged in. Click here to login or register, its free!

Note: Anonymous commenting is disabled in order to keep the quality of responses to a high standard.

Advertisement (Why?)
News powered by Neowin Management System (Build - 5.0.1345) © 2000 - 2008 Neowin.net