We use cookies to provide you with a better experience. If you continue to use this site, we'll assume you're happy with this. Alternatively, click here to find out how to manage these cookies

hide cookie message
80,258 News Articles

Hackers use Google to get sensitive data

Search engine used to find info such as NI numbers

Hackers are employing search engines such as Google when attacking web applications that hold sensitive data, according to a security expert.

Amichai Shulman, founder and chief technology officer for database and application security company Imperva, said it takes just a few seconds to pluck data such as National Insurance numbers from websites using targeted search terms.

The fact that this data is even on the web is a human error; the information should never be published in the first place. But hackers are using Google in more sophisticated ways to automate attacks against websites, Shulman said.

Shulman said Imperva recently discovered a way to execute a SQL injection attack that comes from an IP address that belongs to Google.

In a SQL injection attack, a malicious instruction is entered on a web-based form and answered by a web application. It often can yield sensitive information from a backend database or be used to plant malicious code on the web page.

Shulman declined to give details on how the attack works during his presentation at the RSA Conference, but said it involves Google's advertising system. Google has been notified, he said.

Manipulating Google is particularly useful since it offers anonymity for a hacker plus an automated attack engine, Shulman said.

Tools such as Goolag and Gooscan can execute broad searches across the web for specific vulnerabilities and return lists of websites that have those problems.

"This is no more a script kiddy game - this is a business," Shulman said. "This is a very powerful hacking capability."

Another attack method is so-called Google worms, which use the search engine to find specific vulnerabilities. With the inclusion of additional code, the vulnerability can be exploited, Shulman said.

"In 2004, this was science fiction," Shulman said. "In 2008, this is a painful reality."

NEXT PAGE: The steps search engines are taking

IDG UK Sites

Sony Xperia Z3+ (UK Sony Xperia Z4) UK release date, price and specification: Pre-order the Sony Xp9......

IDG UK Sites

Why Intel’s vision of the future is a future I want to live in

IDG UK Sites

What Jony Ive's new job means for Apple design

IDG UK Sites

Jony Ive 'semi-retired' into new role: kicked upstairs as Chief Design Officer