Using Google As A Hacking Tool
Does using Google Search for malicious purposes affect the application of their “Don’t Be Evil” motto even if the negative activity isn’t actually their fault? Should Google restrict some of their search command capabilities if the results are being used to attack other sites?
If you ask the folks who were victims of these types of attacks, then yes, Google should apply limitations to some of their search query commands.
First off, I’m sure many of you have heard about Shoemoney’s recent hacking incident, something he blogged extensively about. Apparently, some enterprising hackers found vulnerabilities on his server using Google Code Search and exploited them (for more details, Shoemoney’s write-up is quite thorough).
While the mistakes that left his site vulnerable were corrected, Shoemoney then conducted his own Google Code searches in an effort to find other exploitable files. The results of his queries confirmed the speculation - a lot of sites are open to similar types of attacks and these holes aren’t that hard to find if you can enter the proper query into Google Code Search.
Another example provided by blogger IncrediBILL helps support Shoemoney’s fear about hackers using Google to harm other sites, however, this particular incident involved a viral worm conducting Google searches looking for sites with PHP vulnerabilities.
Once these sites were located, a file was installed that continued this process - “When I opened the file my virus scanner claimed it was a Perl.Asan virus so I did a bit of research and Panda claims it’s the Perl/Asan.A.worm or something similar, that locates and infects phpBB systems.”
To combat this, Bill would like to see Google block or limit these types of searches that can help malicious users find vulnerable sites. He also suggests Google should use their limitless financial means to, “have a few security experts on hand, maybe working in conjunction with Panda, Symantec and such, that keep on top of these specific threats and block the specific searches used to locate vulnerable sites.”
Should Google limit the capabilities of some of their search functions? Or should webmasters be more conscientious of the vulnerabilities their sites may possess?
Add to 
Del.icio.us | 
Digg | 
Reddit | 
Furl
Yes, Google should restrict some searching capabilities.
They may be top for search (and slowly taking over the www) but that could change very quickly if they ignore the growing number of victims that are getting their sites harmed courtesy of Google.
how is this googles fault?
if anyone can download the code to the server, they could just as well do the search on their own copy of the code. sure, using a search engine makes it easier to locate bad code if that happens to be the same in different codebases, but blocking such searches does not stop anyone, it only slows them down. at the same time developers who want to search for such issues to fix them are also blocked from such searches, and thus you’d be blocking the good and the bad.
blocking such searches is nothing more than security by obscurity which has been denounced as a bad idea often enough.
anyone concerned about people reading their code should not publish the code in the first place.
greetings, eMBee.
This just highlights the fact that you cannot just blindly trust code. Since the explosion of LAMP, there have been a lot of amateur coders writing web applications like message boards, blog tools, and e-commerce apps.
If you use free, or very cheap code to setup your site, don’t expect it to be the same quality as more expensive software from well established and reputable companies. If you don’t have the time and know-how to look for weaknesses and tweak the configuration, pay someone who does have that skill to do it for you. That way you have someone to blame when something goes wrong.
Blaming Google for your site getting hacked is like blaming auto-makers when you crash your car while driving drunk.
There is no such thing as cheap code. Just cheap coders. Enterprise applications backed up by established reputable companies (ahem… XP/98/95 etc..) have serious flaws just like any badly written LAMP app. Regardless of who or what you use to write code bad code is bad code and is expliotable.
I don’t think I’m advocating security by obscurity, but Google giving hackers a roadmap to the sites with vulernable software is a real problem.
From the minute that a vulnerability is posted on a security advisory site the hackers can quickly modify the list of keyword searches in their code and fire up an entire botnet to locate and infiltrate all of the easily identifiable sites in the search engines within hours.
People running sites that need updates should at least have a fighting chance to get the update from the developer, assuming the developer has even patched the code yet, which typically isn’t the case at the time of the initial security alert.
Try this http://searchable.awardspace.com/
It use google co-op to find files and directory without protection in internet.