May 31st, 2007

Unprotected Google directory spills database data

Posted by Ryan Naraine @ 9:06 am

Categories: Botnets, Browsers, Data theft, Exploit code, Google, Hackers, Metasploit, Mozilla, Open source, Passwords, Patch Watch, Pen testing, Privacy, Vulnerability research, Zero-day attacks

Tags: Directory, Google Inc., Database, Ryan Naraine

Google has hurriedly fixed a gaping hole in its Web page removal request tool after outsiders discovered they could traverse up the directory root, browse folders and find weak database passwords.

The flaw, first reported by Earl of Grey’s blog, exposed an unprotected internal Google directory. The Hacker Webzine poked around and found some fun stuff:

Apparently it is a simple directory that wasn’t protected, so we can traverse up their directory root and browse folders. A study gave me the impression this hole is unique, legit and not a honey pot. Now it can happen the best of the best that a directory becomes readable. But, one must never, ever, not in a million years, store your database connection info in a folder that can be viewed remotely. Like the www folder.

And it looks like Google has a password-strength problem:

What strikes me most is that they log in as root user and second the utter simplicity of the used passwords: 6 chars long 4 digits and two letters in the first one. A little ironic regarding Google’s advisory on password strength.

A rar file with some of the exposed data is available here. More from RSnake.