SecuriTeam released a pretty interesting issue with how search engines can be used to perform attacks on your behalf. This is exactly the sort of problem I have with automated crawling. Just the other day I was talking with Kyran about one of the major reasons I never liked Opera as it was being released. Pre-fetching (which is an aweful lot like crawling) forces your browser to move ahead of where you are and click every link, essentially, to make your surfing faster. Faster? Yes. Safer? No.
In this case, Google is being used as a proxy for PHP include hacking. It is being used to inject PHP into unsuspecting websites by way of following links off the internet. Didn’t Google’s mom tell it not to index strange websites? This may be an easy one for Google to fix - just by having a list of all known exploits and not indexing those. Eesh.
Anyway, it was an interesting issue, that I’ve definitely thought about before, and we’ve already seen in the case of XSS and of auto delete functions, where Google will delete entire websites, because it clicks on every link (and those links perform whatever function they would normally perform under any user controll). Not the best website design, but in the case of PHP includes, I don’t see how webmasters can really do much to protect themselves other than not using canned scripts with issues in them. Not a great answer to be sure.
There are other variants of this attack as well, and I’m sure you can all think of one or you on your own, but ths is also similar to the XSS proxy stuff we’ve talked about. Getting third parties to hack on your behalf is starting to become more mainstream, I guess. Anyway, nice article from the SecuriTeam folks.