Exploit Search Engine Capabilities to Discover Security Gaps

Search engines, such as public ones like Google or companies’ internal intranet search tools, are typically used to find information and delve deeper into topics of interest. However, a more nefarious use of these tools is fast gaining prominence. Cybercriminals are hunting for sensitive data hidden in publicly accessible information by using dorks, a term describing the strings of searches resulting from “Google hacking” or “Google Dorking”.

Searching for something like “tennis serve tips” to improve your serve on the courts would raise several links to related articles. Google Dorking is less straightforward—you’d need to use advanced operators to locate specific information stored on websites (albeit hidden in code) that is not secured and, thus, unintentionally accessible publicly. Those with ill intentions will undoubtedly use this to mine data that will put an individual or enterprise in a vulnerable position.

There has been a spate of widescale security events using Google Dorking. Among them was the widely reported data leak of a French political party’s data, found on the site of its web host using dorks (the strings of searches) of the type “Index of /”, and the discovery of numerous websites used by the CIA for communication, leading to multiple executions of agents working for the US.

To give an example of Dorking, the inquiry “inurl: files intext:nationality filetype: xls intext: <first name or last name type>” is likely to find Excel files that contain individuals’ information with columns displaying name and nationality. At the same time, a single well-chosen keyword—for example, the name of an enterprise application searched on the internet or the word “salary” searched on the company intranet—can be enough to find highly sensitive information.

Internal search engines of certain websites can also be exploited. A case in point: websites containing application source codes (e.g., GitHub), technical forums for software publishers, or job posting websites containing descriptions of sensitive technical environments can be ripe for using Google Dorking to find exploitable information.

Google Dorking is well known today because of the numerous tutorials available online, as well as specialized, private search engines (e.g., startpage.com) and websites listing thousands of dorks (e.g., Google Hacking Database) listed by their specific use cases (e.g., finding files containing passwords).

Google Dorking can be automated with dork scanners such as Zeus-scanner or with the help of PowerShell tools (PnP-PowerShell) for searches in Office365.

To guard against exploitation of internal search engines, organizations can:

• Use Data Loss Prevention software and services to detect data leakage of sensitive information, including tools that search non-indexed websites, like the Dark Web
• Implement Data Classification and Governance procedures, including oversight of how data is shared, like withOffice365 Groups, starting with data that is most critical to business operation and would lead to the most significant risk events (e.g., sensitive trade groups, client data, HR information, etc.)
• Appropriately oversee outsourced activities with a Security Assurance Plan and raise providers’ awareness of the importance of the adequate protection and nondisclosure of the information accessible to them. When possible, require evidence of data destruction after a contract has expired
• Supervise the transfer of sensitive information to parties that do not always possess Synchronous Serial Interface (SSI) protection capabilities (on their company intranet or the internet) equivalent to the organization’s capabilities

Organizations can also take measures to limit the impact of a known data leak:

• Develop a process for managing identified leaks, including actions to take for search engines and websites that have indexed the leak (e.g., Google search engine optimization (SEO) management)
• Have procedures for security incident management, including data breach (with regards to GDPR) and crisis management activities, noting the potential need for notification of regulatory authorities and impacted individuals.
• Have a monitoring procedure and tools in place for social media networks, developing prepared responses for engaging with individuals on these platforms when dealing with a crisis

Google Dorking is a powerful technique cybercriminals are using to exploit vulnerabilities that are hard to find in an organization’s architecture. That said, you should keep in mind the possibility of this technique being used to assess your organization’s security risk—you could leverage Google Dorking to test out your company’s systems. Make dorking part of your organization’s security audit or Red Team discovery activities. Look at your vulnerable points from a malicious agent’s perspective and uncover the gaps that could cause harm to your organization. Cybercriminals are fast evolving their skills and activities, and in tandem, organizations need to evolve how it handles security.

This article is written by Axel Petersen, Cybersecurity, and Business Continuity Manager at Wavestone.