Hacking Google for Fun and Profit
Security is a big deal these days, now more than ever due to the way we interact with our data and the way it changes as technology evolves.
With hackers out there looking to access your data, be it for fun or profit, it makes storing any data online a risky business regardless of heafty jail sentences and fines that come with accessing such data can bring, but what about data that is publicly accessible?
I recently decided to see what I could find using nothing but Google and some specific search commands and within just a few hours (on my tablet may I add) I was able to uncover login details to a number of university websites among others – these included teacher and student login details to edit course information, timetables etc!
As my Google hacking improved I managed to find a .xls file containing a very well-known betting companies entire social networking list along with micro sites all containing login usernames and passwords – I could easily have logged into their Twitter account and started firing out my own tweets, deleted or uploaded my own videos to their YouTube account or whatever else I pleased.
I did all this over the weekend and once I showed Dave on Monday morning what I had done he was able to uncover a whole lot more including login details for sites hosted on a well known ‘website flipping’ company, over 50 Google user profile logins, Facebook login details and more including Amazon accounts, Pintrest and Hotmail accounts and client FTP information, some of which from other marketing agencies who should know better!
Unsurprisingly Google Docs was something that kept cropping up, I can only assume users are thinking their data is private to them whilst selecting the different sharing options – but clearly it’s not!
While we sat shaking our heads, the truth is this is scary stuff, Matt Cutts goes on about hacked sites being an issue whether it be for link building or other reasons but the truth is you don’t need to hack crack anything, you just need to do some clever searches within Google.
Of course this is not Googles fault or issue, if you have data you don’t want Google (or anyone) to access then you should ensure they can’t – if Google can access your data you can be sure anyone or anything can.
So what does this teach us? Don’t make anything ‘private’ accessible to the search engines and that you should worry about where and how you’re storing your data because it’s not just hackers you need to worry about.
A good way to protect yourselves as a backup is to use Googles ‘site:’ command but really if you are getting notified by Google then it’s already too late!
Also, if it wasn’t obvious already, just because this data is publicly available, doesn’t mean you have a right to play with it so I’d advise you not to do anything stupid if you decide to become a Google hacker
We have notified all parties of the data we were able to access and told them how to fix it.
If you’ve come across anything yourself, leave it in the comments below…