Home page logo
/

fulldisclosure logo Full Disclosure mailing list archives

Google Adsense bot exploitable? (Was: Supporters urge halt to, hacker's, extradition to US)
From: n3td3v <xploitable () gmail com>
Date: Tue, 30 Sep 2008 23:23:18 +0100

On Tue, Sep 30, 2008 at 10:55 PM, Eliah Kagan
<degeneracypressure () gmail com> wrote:
I wrote:
When a http indexing bot (like those used by Google, for instance)
comes upon a hyperlink into a page that is http authenticated, does it
follow the link and try a blank password, or does it not follow the
link? Is there some accepted standard for that?

If it is considered acceptable to assume that access is permitted to
any system that doesn't have passwords set but present http
authentication, it would be hard to argue that other forms of
authentication are different. Of course, having gained access, making
deliberate modifications, however slight, would be illegal.

n3td3v wrote:
All you do is give Googlebot the password and hey presto! Read below:

https://www.google.com/adsense/support/bin/answer.py?answer=37081

Yes, but what I'm asking about is what happens if the Google bot (or
other bots) are indexing and come upon a hyperlink, which otherwise
would be followed, of the form:

http://someone () [subdomains ]somewhere tld

Does it then try the null ("") password to authenticate, or does it
stop there? Would it be considered computer fraud to try the null
password in this situation?

This is not necessary a page of a Google AdSense customer. It could be anything.

Isn't think what happened to make a whole bunch of Papa Johns'
corporate emails public via the Google cache? (And nobody pressed
criminal charges against Google developers...)

-Eliah


Could the bad guys exploit this Adsense bot to do a bit of
reconnaissance work if they had obtained passwords and given them to
the bot? What kind of info does Adsense bot give back to the bad guys
about password-protected pages it has been told to access? I'm not
talking about the Mckinnon case right now, I just think I might have
just opened a can of worms on a seperate issue. This bot could go in
to places and break the law, while the bad guys break no law? This
needs to be researched.

All the best,

n3td3v

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/


  By Date           By Thread  

Current thread:
  • Google Adsense bot exploitable? (Was: Supporters urge halt to, hacker's, extradition to US) n3td3v (Sep 30)
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]
AlienVault