An online cyber security researcher going by the name of Fabio Castro in Brasil has just disclosed a serious vulnerability attached to the Google search engine. In research revealed via his Twitter page earlier today, January 10th 2019, Mr. Castro has revealed that if you enter a certain string of the right characters and symbols onto a Google search, you are essentially able to nab different portions, sections, folders, files or databases perhaps you otherwise shouldn’t.
As a proof of concept (PoC), Mr. Castro entered the following string onto Google this morning “intitle.”index of / “passport” and managed to stumble across countless international photo Id’s, Passports, Drivers Licenses and the like through Google images. While the exact number exposed is impossible to quantify, we could be talking about thousands upon thousands of active Government issued ID’s compromised by this glitch/vulnerability all across the world. For example, Mr. Castro has already admitted to maliciously downloading documents for himself – primarily targeting Brasilian drivers licenses.
If you search for intitle: "Index of /" Passport on google images and search for images larger than 1024 × 768 you will find thousands of websites displaying photos of passports and important documents. @campuscodi @malwrhunterteam @felipepayao pic.twitter.com/4ODYrHcX6W
— Fábio Castro (@hackatnow) January 10, 2019
After thinking for a while about how this sort of thing could have happened and after analyzing the URL structure tied to the photo’s leaked onto Googles servers, it is my professional opinion that this is a glitch resulting from Google web bots and crawlers. For example, nearly every Government or corporate website in the world is attached to Google‘s search engine on one level or another, meaning that the site has been indexed to be crawled by Google‘s various artificial intelligence web bots – seemingly at random.
Now, unless you are a security 🤓 like me, or don’t have insanely strict firewall rules, you might not realize how much Google actually attempts to “learn” about any/every website located on the ClearNet. For example, every once and a while Rogue Security Labs manages to catch Google‘s web bots attempting to crawl/index things they should have no business learning – such as my site’s json files. Tying things together, especially given the developments of today, I am also willing to bet that none of this is an isolated process, and Google‘s bots have either been intentionally configured to or accidentally reconfigured to crawl various file systems across the web – there’s no telling which really, only Google developers know that answer.
If you do not block these bots or employ strict enough rules on your firewall, then Google will do anything and everything it can to index everything on it – seemingly with no abandon whatsoever. After thinking about it for long enough and after piecing some more information together in my head, unfortunately, this appears to be a variation of the same exact bug/vulnerability leading to the death of 30 Clandestine CIA agents in Iran last November.
For those of you whom do not remember, as was first reported by Yahoo News on November 2nd 2018, Iranian agents managed to enter different search strings together on Google‘s search engine, leading hackers directly to site pages attached to the back-end of “secret” websites used by various CIA agents/operatives to coordinate, communicate and exchange messages with one another. For example, a later report revealed that a search comprising of the words “CIA secret website login” really did lead hackers to web pages of undercover operatives – web pages that hackers were then able to Brute-Force and/or hack. Later reports revealed that undercover agents in China were also able to compromise undercover operatives by similar hacks/vulnerabilities throughout the course of 2009 – 2013, leading to the deaths of dozens more.
Between 2009 and 2013, Iran compromised a CIA system used to talk to operatives in Iran by using Google to identify the websites that concealed communications, Yahoo News reportshttps://t.co/yMqppAnkLB
— Axios (@axios) November 2, 2018
Honestly, there really is no easy fix to this problem. If you are one of the websites effected, considering that Google has already indexed the web pages and files in question, Google would have to audit its own systems and servers to remove them manually. If you are a website owner looking to build your site in the future, then either hire Rogue Security Labs to manage your website security or learn how to build and employ stricter firewall rules yourself. The only way to prevent Google from indexing your site is by blocking different web bots/crawlers from doing so. It is such an advanced problem that is so easily exploited – that’s the real problem here.
On a side note, considering that I was one point a Clandestine agent in waiting and literally wrote the book how to keep an Anonymous identity online, I am quite frankly dumbfounded that agents actually employed by the CIA were dumb enough to coordinate with each other and Government offices on the ClearNet, nevermind on an unsecure website located on the ClearNet to boot- that’s just a literal face palm to me. But then again, I’m the one the CIA choose not to hire – so I guess that’s their problem. Well done America.