One way that hackers can break into a website is by hunting for private pages that contain the usernames and passwords required to access secure parts of the site. These pages are usually hidden from the casual browser because there are no hyperlinks to them on the web. But sometimes websites contain hidden hyperlinks or indexes that point to these private sites. These links may be inserted by faulty software, or they may be created by the owner for temporary use and later forgotten or not properly deleted. Either way, they are serious security loopholes.
Hackers usually hunt for these private pages by trial and error, an activity that an alert webmaster can spot by monitoring traffic on supposedly private parts of the site. But search engines now make this kind of trawling unnecessary, says Johnny Long, a professional hacker based in the US who is hired by companies to test their security.
Search engines build their databases by systematically following the links they find on web pages. The search engine then records the contents of each page. So if a website contains a link to a sensitive page, a search engine will record it.
These pages would still be hard to find if web servers did not often use the same name for pages that contain passwords and other sensitive information. For example, one common filename for passwords is "bash history". Long says an obvious combination of search terms would include the terms "bash history", "temporary" and "password".
Since Google makes its cached pages available, hackers can access this information without alerting a webmaster, even if the data has since been removed from the web. Long plans to outline the technique this week at Defcon, the annual hackers' conference in Las Vegas. Google says it bears no responsibility for the way the information it collects is used. "Our search tools are very useful to researchers. There is not a lot we can do to prevent hacking," says a company spokesman.
The responsibility for securing a site lies with the people operating it, says Danny Sullivan, editor of the website SearchEngineWatch.com: "Search engines make it easier for everyone to gain information, hackers included."
Author: Celeste Biever
New Scientist issue: 2 AUGUST 2003
UK CONTACT - Claire Bowles, New Scientist Press Office, London:
Tel: 44-0-20-7331-2751 or email claire.bowles@rbi.co.uk
US CONTACT - Michelle Soucy, New Scientist Boston Office:
Tel: 1-617-558-4939 or email michelle.soucy@newscientist.com
PLEASE MENTION NEW SCIENTIST AS THE SOURCE OF THIS STORY AND, IF PUBLISHING ONLINE, PLEASE CARRY A HYPERLINK TO: http://www.newscientist.com
"These articles are posted on this site to give advance access to other authorised media who may wish to quote extracts as part of fair dealing with this copyrighted material. Full attribution is required, and if publishing online a link to http://www.newscientist.com is also required. Advance permission is required before any and every reproduction of each article in full - please contact celia.thomas@rbi.co.uk. Please note that all material is copyright of Reed Business Information Limited and we reserve the right to take such action as we consider appropriate to protect such copyright."