That password-protected site of yours - it ain't

It's one of the simplest hacks we've seen in a long time, and the more elite computer users have known about it for a while, but it's still kinda cool and just a little bit unnerving: A hacker has revealed a way to use Google and other search engines to gain unauthorized access to password-protected content on a dizzying number of websites.

While plenty of webmasters require their visitors to register or pay a fee before viewing certain pages, they are typically more than eager for search engine bots to see the content for free. After all, the more search engines that catalog the info, the better the chances of luring new users. But the technique, known as cloaking, has a gaping loophole: if Google and other search engines can see the content without entering a password, so can you.

View: The full story @ The Reg

Report a problem with article
Previous Story

China Blocks Apple's ITunes, Amazon Over Tibet Songs

Next Story

Fair use comes first in web video

18 Comments

How is this news? Ive known about this for a long time. I am sure many others have too. Its also useful for when your workplace also blocks websites that are not business related :D. Google Cache is awesome stuff. Another neat trick is 99% of the time colleges store their finals and quizes and stuff on the file server of the teachers website for the class. Little bit of Google search and indexing, and you have the answers to most finals and quiz's at a lot of colleges.

Yeah, this isn't news :S. This has been used for yeaaaars.

I use it when a forum replies have been deleted or edited due to bad content - just to see what they _originally_ posted :P

Newsflash, the internet is a public network, computers are insecure... Don't put anythong un thi unternet if yew dnot wannit read bie peeps

Well, THAT you could put on the Internet. I'm not even sure what language you are trying to communicate in but it certainly isn't English.

(asmodeus said @ #5.1)
If you scroll to the bottom of the page past the ads all the answers will be there, if your referrer was google.

true, and very useful

lol thats nothing you should see this! i put this stuff on my site..
you can vciew private information on websites like edu sites a gov sites example:

"top secret" inurl:.gov (you put that in google)

some very potential info *cough* i will say now it would be illegal to read it even thou viewing it in port 80 (view pdfs as html will give you some invisibilty insted of downloading (using port 21) but like i said never read any its illegal and you'll probly never get caught espically if you search other countrys so you better not!!! i hav never done this scouts honour!!

Oh my, I tried that "just to see" and it took me to something I shouldn't have looked at :(
Awaits Special Agents knocking at my door.

Surely if they're stupid enough to have it on an OPEN internet then it's their fault if someone reads it??

Heh! Information wants to be free. Once posted on the web, you cannot be sure that it has been truly deleted, or in this case protected. Reminds me of a parable about hiding a lamp under a basket, if you want it to be search engine friendly, it must be readable somehow, but I find it funny that these people haven't discovered the "nocache" meta tag. Or are so incompetent that they're relying on Google for site search when they should have their own search engine.

Reminds me of all the times some doofus has asked about protecting their html or javascript over on Sitepoint. First of all, it has to be displayed or executed by a browser, so it is recoverable. Second, usually people who want to do this are neophytes whose scripting is so pathetically laughable that it would be best hid so that others don't copy their mistakes.

You can just exclude bots from indexing restricted directories or files as it is with most forum software and CMS's, typically on forums registered users have basic access, Administrators and Moderators can only access sensitive directories.

That's one of the main reasons I've changed the name of my admin directory for both my portal and forum and have chosen a strong password, denied anyone else but administrators access to the directory and excluded bots from seeing or accessing those directories with a robots.txt file.

Commenting is disabled on this article.