Unprotected Google directory spills database data

Summary:Google has hurriedly fixed a gaping hole in its Web page removal request tool after outsiders discovered they could traverse up the directory root, browse folders and find weak database passwords.

Google has hurriedly fixed a gaping hole in its Web page removal request tool after outsiders discovered they could traverse up the directory root, browse folders and find weak database passwords.

Google site removal

The flaw, first reported by Earl of Grey's blog, exposed an unprotected internal Google directory. The Hacker Webzine poked around and found some fun stuff:

Apparently it is a simple directory that wasn't protected, so we can traverse up their directory root and browse folders. A study gave me the impression this hole is unique, legit and not a honey pot. Now it can happen the best of the best that a directory becomes readable. But, one must never, ever, not in a million years, store your database connection info in a folder that can be viewed remotely. Like the www folder.

And it looks like Google has a password-strength problem:

What strikes me most is that they log in as root user and second the utter simplicity of the used passwords: 6 chars long 4 digits and two letters in the first one. A little ironic regarding Google's advisory on password strength.

A rar file with some of the exposed data is available here. More from RSnake.

Topics: Google

About

Ryan Naraine is a journalist and social media enthusiast specializing in Internet and computer security issues. He is currently security evangelist at Kaspersky Lab, an anti-malware company with operations around the globe. He is taking a leadership role in developing the company's online community initiative around secure content managem... Full Bio

zdnet_core.socialButton.googleLabel Contact Disclosure

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.

Related Stories

The best of ZDNet, delivered

You have been successfully signed up. To sign up for more newsletters or to manage your account, visit the Newsletter Subscription Center.
Subscription failed.