Skip to main content

Google hacking topic resurfaces with a vengeance

About a year ago the newswire were full of a new hacker modus operandi called `Google hacking.'

Basically this involved using Google's advanced search syntax to extract all sorts of useful data from the Google search engine results.

For a time, it was possible to derive credit cards numbers and all sorts of so-called dark information.

Then Google sealed up its search loopholes.

But now the problem is back, if Amichai Shulman, founder and CTO of Imperva is to be believed.

Imperva says it has recently discovered a way to execute a SQL injection attack that comes from an IP address that belongs to Google.

For an SQL injection attack to be successful, a malicious instruction is entered on a Web-based form and answered by a Web application. The automated results can often be quite amazing.

Speaking at the RSA Europe security event on Monday of this week, Shulman declined to reveal the mechanics of how his carefully-crafted SQL attack worked, but the results apparently spoke for themselves.

This time around it's Google's Adwords system that appears to be open to interrogation.

According to the Imperva founder, using Google for hacking is an almost anonymous game, as it allows automation and, if you use the right browser, total anonymity.

Tools such as Goolag and Gooscan, says Shulman, can execute broad searches across the Web for specific vulnerabilities and return lists of Web sites that have those problems.

This is no longer a script kiddy game; this is a business," Shulman told delegates at the event, adding that the technology represents a very powerful hacking capability...