Most people understand that if there is information visible on the Web, then Google knows about it. But what about the information that many people think is invisible? Chances are, Google knows about that too.
That’s because many Web sites, including big corporate sites, expose much more information than they realize. Everything from customer credit information to administrator passwords has turned up in Google searches.
In corporate Web security, this is clearly a serious problem. But many companies pay little attention to it because they don’t know how to perform the Google hacks that can find this sensitive information. Until now, of course.
GoolagScanner is a free open-source tool from the Cult of the Dead Cow that makes it possible for Web site administrators and security personnel to quickly perform tests to see if their sites are exposing sensitive information to complex Google searches. The tool is mainly based on Johnny Long’s Google Hacking Database, which lists all of the potential Google hacks (or googledorks, as he calls them) that can be used to find sensitive information on Web sites.
Using the Windows-based GoolagScanner is pretty simple. The interface displays a list of dorks that users can perform on their sites to find out if they are exposing information to Google searches.
From the tool I could select the number of tests I wanted to run and then have GoolagScanner quickly run through them, showing any potential problems that my sites may have had.
Since GoolagScanner is basically running automated Google queries, users can quickly find their IP address blocked by Google for a short period of time. When this occurs, the user needs to fill out a captcha on Google to prove they are a human and not a robot. This can also be avoided by running tests in batches of 10.
Like some other cDc tools, GoolagScanner is a bit controversial and tends to inhabit a gray area of security tools. In most ways it is a perfectly legitimate security tool that can provide great value to Web sites that may not know that sensitive information is at risk.
But while the tool is intended for people to use on their own sites or sites that they manage, there is nothing stopping anyone from using GoolagScanner to find problems in any Web site.
My take on this is that the information needed to find this information through Google is already well-known in the hacker community, and that means both white hat and black hat hackers. If your site has these data holes, then the bad guys can already get to it without GoolagScanner.
Which means that as an administrator you need a way to find out if you have sensitive data exposed to Google, and that’s exactly what GoolagScanner does. Right now, I’d put it on the must-have tool list for any Web site administrator or security manager.
To try out the GoolagScanner, go to www.goolag.org.