Feds Issue Bulletin on Google Dorking

An examples

An example of a “Google dork” query with accompanying responses.

A bulletin issued by the Department of Homeland Security, the FBI and the National Counterterrorism Center earlier this month warns law enforcement and private security personnel that malicious cyber actors can use “advanced search techniques” to discover sensitive information and other vulnerabilities in websites.  The bulletin, titled “Malicious Cyber Actors Use Advanced Search Techniques,” describes a set of techniques collectively referred to as “Google dorking” or “Google hacking” that use “advanced operators” to refine search queries to provide more specific results.  Lists of these operators are provided by Google and include the following examples:

allintext: / intext: Restricts results to those containing all the query terms you specify in the text of the page
allintitle: / intitle: Restricts results to those containing all the query terms you specify in the title
allinurl: / inurl: Restricts results to those containing all the query terms you specify in the URL
filetype:suffix Limits results to pages whose names end in suffix
site: Using the site: operator restricts your search results to the site or domain you specify
Minus sign  ( – ) to exclude Placing  a minus sign immediately before a word indicates that you do not want pages that contain this word to appear in your results
Phrase search (using double quotes, “…” ) By putting double quotes around a set of words, you are telling Google to consider the exact words in that exact order without any change

Here is an example of a query constructed from these operators:

“sensitive but unclassified” filetype:pdf site:publicintelligence.net

The bulletin warns that malicious cyber actors can use these techniques to “locate information that organizations may not have intended to be discoverable by the public or to find website vulnerabilities for use in subsequent cyber attacks.”  Hackers searching for “specific file types and keywords . . . can locate information such as usernames and passwords, e-mail lists, sensitive documents, bank account details, and website vulnerabilities.”  Moreover, “freely available online tools can run automated scans using multiple dork queries” to discover vulnerabilities.  In fact, the bulletin recommends that security professionals use these tools “such as the Google Hacking Database, found at http://www.exploit-db.com/google-dorks, to run pre-made dork queries to find discoverable proprietary information and website vulnerabilities.”

Several security breaches related to the use of “advanced search techniques” are also referenced in the bulletin.  One incident in August 2011 resulted in the compromise of the personally identifiable information of approximately 43,000 faculty, staff, students and alumni of Yale University.  The information was located in a spreadsheet placed on a publicly accessible File Transfer Protocol (FTP) server and was listed in Google search results for more than ten months prior to being discovered.  Another incident in October 2013 involved attackers using Google dorking to discover websites running vulnerable versions of vBulletin message board software prior to running automated tools that created administrator accounts on the compromised sites.  As many as 35,000 websites were believed to have been compromised in the incident.

Share this: