Home page logo

fulldisclosure logo Full Disclosure mailing list archives

Re: [inbox] Re: Supporters urge halt to, hacker's, extradition to US
From: "Eliah Kagan" <degeneracypressure () gmail com>
Date: Tue, 30 Sep 2008 17:55:18 -0400

I wrote:
When a http indexing bot (like those used by Google, for instance)
comes upon a hyperlink into a page that is http authenticated, does it
follow the link and try a blank password, or does it not follow the
link? Is there some accepted standard for that?

If it is considered acceptable to assume that access is permitted to
any system that doesn't have passwords set but present http
authentication, it would be hard to argue that other forms of
authentication are different. Of course, having gained access, making
deliberate modifications, however slight, would be illegal.

n3td3v wrote:
All you do is give Googlebot the password and hey presto! Read below:


Yes, but what I'm asking about is what happens if the Google bot (or
other bots) are indexing and come upon a hyperlink, which otherwise
would be followed, of the form:

http://someone () [subdomains ]somewhere tld

Does it then try the null ("") password to authenticate, or does it
stop there? Would it be considered computer fraud to try the null
password in this situation?

This is not necessary a page of a Google AdSense customer. It could be anything.

Isn't think what happened to make a whole bunch of Papa Johns'
corporate emails public via the Google cache? (And nobody pressed
criminal charges against Google developers...)


Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]