Browse archive

Latest news

(IN)SECURE Magazine issue 38 released

Facebook once again accessible via Tor

Employees biggest IT threat to businesses

Google asks secret court permission to publish FISA numbers

Oracle releases critical security updates for Java

Failed backups endanger revenue and productivity

The security of WordPress plugins

How to detect hidden administrator apps on Android

Key obstacles to effective IT security strategies

CyanogenMod founder aims to thwart data-grabbing apps

Businesses not fully implementing infosec programs

Microsoft releases Enhanced Mitigation Experience Toolkit 4.0

Hacking charge stations for electric cars

Use Google's indexing capabilities to identify vulnerabilities

Posted on 28 July 2011.

Next week at Black Hat, Stach & Liu researchers Francis Brown and Rob Ragan will show how the power of Google’s indexing capabilities can be harnessed to identify vulnerabilities - particularly SQL injection flaws - that can be used to take over millions of websites that are at risk.

By searching for the right string of information, an attacker can find massive amounts of sensitive data and extract it with a few simple exploits.

Over the past year, Stach & Liu has built what may be the world's single largest repository of live vulnerabilities on the web – in fact, over 3,000 new vulnerable websites are added per day to this database via real-time RSS feed updates from both Google and Bing.

After a year of collecting this research, Brown and Ragan are returning to Black Hat to give the security community the defensive tools they’ve been asking for to help solve this problem.

Brown and Ragan will also show how Google hacking was used in several other recent, high profile attacks:

Late last month, the entire user database of Groupon’s Indian subsidiary, Sosasta.com, was accidentally published to the Internet and indexed by Google, exposing the email addresses and clear text passwords of the site’s 300,000 users.
In the spring, the Liza Moon virus affected more than four million websites, injecting malicious SQL codes into popular websites and redirecting users to sites that deliver malware.
A similar mass SQLi attack last year compromised thousands of websites, including The Jerusalem Post and The Wall Street Journal.

Last year, Brown and Ragan revolutionized the way Google and Bing hacking is done in an under-hyped Black Hat presentation called “Lord of the Bing.” That presentation only scratched the surface of what’s truly possible with Google hacking.

“Since our Black Hat talk a year ago, our team has worked diligently to develop and deliver this full arsenal of defensive Google and Bing hacking tools that can take in millions of vulnerabilities and identify when your websites are vulnerable to attack,” said Francis Brown, Managing Partner at Stach & Liu. “Google has made it incredibly easy to find these types of vulnerabilities through their indexing and that has left many sites at risk. To put it in perspective, if Groupon.com had been using our tools, they would have gotten an alert via iPhone or Droid apps and found the vulnerability before anyone else did.”