Google indexes the entire web continually and so if your website is visible on the web, you can be sure that Google is crawling your entire website with automated software bots looking for any significant changes that may have occurred on your website. Unfortunately files or information that you never intended to be public-facing may be uncovered using techniques called “Google Dorking” which leverages the capabilities of the Google search operators to uncover data which may never be intended to be public facing.
From Wikipedia:
Google hacking, also named Google dorking, is a computer hacking technique that uses Google Search and other Google applications to find security holes in the configuration and computer code that websites use.
Businessinsider.com recently published an article “Term of the Day:”Google Dorking” which detailed the threat to businesses showing how usernames and passwords, private customer correspondence even bank account information can be uncovered using this advance hacking technique.
Recently I uncovered in the Google results private customer correspondence sent through the website’s contact form visible to everyone in the Google Search results. Of course, I notified the company of this security breach and I assume it was remedied or blocked from Google’s indexing bots.
Some of the common operator scripts that a hacker could simply put in the Google search results to uncover information about your website. According to Techworm.net the following
Google operators imputed into the Google search bar can uncover sensitive info you probably don’t want exposed. This example uncovers email ID’s
Another dork can be used to glean emails ids from Google.
Dork: intext:@gmail.com filetype:xls
What can your business do to prevent your sensitive information hidden from hackers using Google Dorking techniques? There are many good security practices which would help keep your company information secure. Below, I have listed a few:
- Keep your highly secure information off your website. If your website is simply your public facing marketing brochure, there is no reason to keep sensitive information on your website. Public facing website are accessible to the entire world so limiting access to your sensiteve info is critical.
- Keep up with security updates. Following behind on your website security updates only makes your website more vulnerable. Think of security updates as a priority item to be addressed quickly rather than just someday.
- Penetration Test your website for common Google Dorks: Try penetration tests on your own website to see what comes up. If you feel unsure how to go about this, enlist the help of a professional to examine your website for security leaks.
Together we can keep our websites and customer information secure if we follow good practices. The first step in employing good practices is to identify what information needs be kept private and make sure it is not accessible through the internet.