Cenzic 232 Patent
Paid Advertising
web application security lab

Google Hacks On Your Behalf

SecuriTeam released a pretty interesting issue with how search engines can be used to perform attacks on your behalf. This is exactly the sort of problem I have with automated crawling. Just the other day I was talking with Kyran about one of the major reasons I never liked Opera as it was being released. Pre-fetching (which is an aweful lot like crawling) forces your browser to move ahead of where you are and click every link, essentially, to make your surfing faster. Faster? Yes. Safer? No.

In this case, Google is being used as a proxy for PHP include hacking. It is being used to inject PHP into unsuspecting websites by way of following links off the internet. Didn’t Google’s mom tell it not to index strange websites? This may be an easy one for Google to fix - just by having a list of all known exploits and not indexing those. Eesh.

Anyway, it was an interesting issue, that I’ve definitely thought about before, and we’ve already seen in the case of XSS and of auto delete functions, where Google will delete entire websites, because it clicks on every link (and those links perform whatever function they would normally perform under any user controll). Not the best website design, but in the case of PHP includes, I don’t see how webmasters can really do much to protect themselves other than not using canned scripts with issues in them. Not a great answer to be sure.

There are other variants of this attack as well, and I’m sure you can all think of one or you on your own, but ths is also similar to the XSS proxy stuff we’ve talked about. Getting third parties to hack on your behalf is starting to become more mainstream, I guess. Anyway, nice article from the SecuriTeam folks.

6 Responses to “Google Hacks On Your Behalf”

  1. WhiteAcid Says:

    I was just about to email you about their blog post :p

  2. pdp Says:

    this is not exactly new but still pretty good

  3. /pd Says:

    Gadi’s hand seems to write all over this POC :)-

  4. WhiteAcid Says:

    I wouldn’t be suprised.

  5. zeno Says:

    I started doing this a few years ago. Check out the link below and view source. I got the data from over a year however it is a few years old. I was studying which engines could be abused in the ‘best way’. Short answer, all of them….

    http://web.archive.org/web/20030426184220/http://www.cgisecurity.com/

    - zeno
    http://www.cgisecurity.com

  6. unsticky Says:

    I’ve noticed this happening a lot with php shells with ‘remove self’ type links… Most of the c99 Shell results on google were of the remove self links, so Google can both be a proxy of evil and an internet-maid